Geekzone passwords in plain text

Forums › Geekzone › Geekzone passwords in plain text

nzpat

167 posts

Master Geek

#56813 24-Jan-2010 21:56

I dont know what the deal is but occasionally I see my password in plain text in my url bar, surely displaying this isnt the best or most secure practice for a website of geeks.

See below, it mainly happens when I go to GeekZone for the first time in a while, some sort of redirect takes place putting my user name and password up for whoever happens to be on my computer or glancing over my shoulder.

http://www.geekzone.co.nz/login.asp?submit=login&user_name=patznz&password=XXXXXX&ret_page=%2Fdefault%2Easp%3F

Just a FYI in any case.

Cheers.

1 | 2

939 posts

Ultimate Geek

Trusted

#292761 24-Jan-2010 22:15

Old news :-P

codyc1515

1598 posts

Uber Geek
Inactive user

#292767 24-Jan-2010 22:24

Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!

rscole86

4973 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#292770 24-Jan-2010 22:27

What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.

nzpat

167 posts

Master Geek

#292777 24-Jan-2010 22:41

No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#292782 24-Jan-2010 23:03

patznz: No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.

The page is only loaded when you click login, so unless someone already knows your password, they are not going to be able to access your account.

Even if the login system was changed from GET to POST, your username/password are still going to be sent unencrypted to the Geekzone server, which can be intercepted in transit. Then the argument comes up of using SSL (similar to banks) to prevent this.

Seriously, if someone did get into your account, what's the worst they can do?

freitasm

BDFL - Memuneh
79254 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#292786 24-Jan-2010 23:10

codyc1515: Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!

I reply to all emails, and I didn't receive anything.

As for the URL you see, it looks like you bookmarked the login page - check that. It shouldn't "show" on your browser as it is a redirect - unless you bookmark that specific URL.

Search for a recent (last week) discussion called "IP Addresses" and read through it. In short, your password is hashed in our database. It's only unencrypted when doing a submit to our server. The worst thing it could happen is someone use your password to log into another service.

Being a geek I am sure you use a different password for each different service, right?

But, yes, read that discussion.

PenultimateHop

637 posts

Ultimate Geek

Trusted

#292790 24-Jan-2010 23:20

rscole86: What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.

There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path. If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#292791 24-Jan-2010 23:44

PenultimateHop: I am surprised SSL is not used for transmitting credentials - it really is best practice.

Alittle overkill don't you think for just forums?

meesham

973 posts

Ultimate Geek

#292793 24-Jan-2010 23:45

PenultimateHop:
There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path. If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.

For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

PenultimateHop

637 posts

Ultimate Geek

Trusted

#292808 25-Jan-2010 06:25

nate: Alittle overkill don't you think for just forums?

Not in the slightest. Security is a serious consideration; and anything but best practices encourages complacency. There are mechanisms out there to permit secure transactions across the Internet, and their usage should be encouraged.

meesham: For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

While I agree that people using public wifi should be keeping themselves safe, again it encourages complacency especially when you could reasonably assume that a technology focused site would be following best practices for securing data. Of course, you can also reasonably argue that a technology savvy user would be keeping themselves secure or be aware of the risks involved, but frankly if a hammer is available why would you use a spoon?

meesham: Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

That is a poor excuse and very much a red herring. SNI (RFC3546) works around that problem, as does using multiple ports for separate SSL virtual hosts, as does having a single generic SSL site for multiple other sites. Additionally a site like Geekzone is already running on its own IP address.

IPv4 depletion is a real problem, but it is not an excuse for avoiding SSL.

rattewisday

203 posts

Master Geek

#292822 25-Jan-2010 08:57

It doesn't bother me to much either way but you make an excellent point PenultimateHop.

freitasm

BDFL - Memuneh
79254 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#292834 25-Jan-2010 10:20

Have you guys read the other discussion as suggested? There are ways around it - we have a SSL cert on Geekzone for about three years now. Can we submit to a SSL login, save a token to the database, return it to the non-SSL session already in progress (or create a new one) with that one token? Yes, we can.

Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.

Yes, I am thinking of a solution, no it won't be something like "or, turn on SSL it's all fixed now".

Filterer

489 posts

Ultimate Geek

#292861 25-Jan-2010 13:17

freitasm: Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.

Heard of cookies? Thats exactly what it is supposed to prevent (putting session data in the url etc)
Putting the password or any sensitive data in the url makes it show up in web history which is very very bad in all security books.... (even over ssl)

pɐǝɥ sıɥ uo ƃuıpuɐʇs

Ragnor

8219 posts

Uber Geek

Trusted

#292870 25-Jan-2010 13:51

@freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).

freitasm

BDFL - Memuneh
79254 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#292878 25-Jan-2010 14:16

Ragnor, point take. I will modify this later today when back home - remember it's a Wellington holiday here...

1 | 2