Announcement: Be excellent to each other.

Caravel Forum : Caravel Boards : The Site : Your password - easily visible.
 New Topic New Poll Post Reply
Poster Message
coppro
Level: Smitemaster
Rank Points: 1309
Registered: 11-24-2005
IP: Logged
 icon Your password - easily visible. (0)  
On any page with a field where you must enter your password - most notably a new post or post edit page, your password is visible in the sourcecode for the page. This is a big leak, because if you log on at someone else's house, or someone comes over and checks things out, then they can steal your account easily, and not even right then.

On the same note, it might be worth removing the default password from the Modify Profile page - there's no point in having it there if it just fills itself in for you. (The posting page is different, because it allows you to switch users easily from the posting page, which is really nice for people who have two people on computer.

Ideally, you either remove the "default=password" line, or make it retreive it from a cookie, as opposed to being supplied by the database itself.
07-19-2006 at 11:12 PM
View Profile Show all user's posts Quote Reply
Briareos
Level: Smitemaster
Avatar
Rank Points: 3516
Registered: 08-07-2005
IP: Logged
 icon Re: Your password - easily visible. (0)  
coppro wrote:
On any page with a field where you must enter your password - most notably a new post or post edit page, your password is visible in the sourcecode for the page. This is a big leak, because if you log on at someone else's house, or someone comes over and checks things out, then they can steal your account easily, and not even right then.
Well, you could fill the field with some randomly generated characters, remember when and for whom they were generated on the server side and expire them when they are used once instead of the password or after 1 hour, whichever comes first.

So either you leave that random string of characters in the password box which can't be reused, or you enter your username and password manually, which gets checked as before.

That way, you get automatic passwording, but without the phishing... :)

np: Isan - Caddis (Lucky Cat)

____________________________
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
R.I.P. Robert Feldhoff (1962-2009) :(
07-19-2006 at 11:46 PM
View Profile Send Private Message to User Send Email to User Visit Homepage Show all user's posts Quote Reply
Schik
Level: Legendary Smitemaster
Avatar
Rank Points: 5413
Registered: 02-04-2003
IP: Logged
 icon Re: Your password - easily visible. (0)  
coppro wrote:
Ideally, you either remove the "default=password" line, or make it retreive it from a cookie, as opposed to being supplied by the database itself.
I don't know what "default=password" line you're talking about. The password *is* retrieved from a cookie. If you don't log out of the forum, anyone can just retrieve it from the cookie rather than by looking at the source for a posting page or your profile page. So removing it from there wouldn't make anything more secure.

____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi
07-20-2006 at 01:58 AM
View Profile Send Private Message to User Send Email to User Show all user's posts High Scores Quote Reply
coppro
Level: Smitemaster
Rank Points: 1309
Registered: 11-24-2005
IP: Logged
 icon Re: Your password - easily visible. (0)  
Schik wrote:
coppro wrote:
Ideally, you either remove the "default=password" line, or make it retreive it from a cookie, as opposed to being supplied by the database itself.
I don't know what "default=password" line you're talking about. The password *is* retrieved from a cookie. If you don't log out of the forum, anyone can just retrieve it from the cookie rather than by looking at the source for a posting page or your profile page. So removing it from there wouldn't make anything more secure.

Okay. So just curiosity, oughtn't that be encrypted?
07-20-2006 at 02:13 AM
View Profile Show all user's posts Quote Reply
Schik
Level: Legendary Smitemaster
Avatar
Rank Points: 5413
Registered: 02-04-2003
IP: Logged
 icon Re: Your password - easily visible. (0)  
coppro wrote:
Okay. So just curiosity, oughtn't that be encrypted?
Well, the forum needs to accept *something*. If it accepts an encrypted password, then the only thing you've gained is that nobody knows what the actual password is. But they'd still know what they have to send to the server to be logged in as you. It doesn't really gain you much to encrypt it. Bottom line is, if you don't log out, people can do things with your account.

____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi
07-20-2006 at 02:22 AM
View Profile Send Private Message to User Send Email to User Show all user's posts High Scores Quote Reply
Syntax
Level: Smitemaster
Rank Points: 1218
Registered: 05-12-2005
IP: Logged
 icon Re: Your password - easily visible. (0)  
Haven't looked in the cookie, but shouldn't the password be hashed client and server side?
07-20-2006 at 08:05 PM
View Profile Send Private Message to User Show all user's posts Quote Reply
New Topic New Poll Post Reply
Caravel Forum : Caravel Boards : The Site : Your password - easily visible.
Surf To:


Forum Rules:
Can I post a new topic? No
Can I reply? No
Can I read? Yes
HTML Enabled? No
UBBC Enabled? Yes
Words Filter Enable? No

Contact Us | CaravelGames.com

Powered by: tForum tForumHacks Edition b0.98.8
Originally created by Toan Huynh (Copyright © 2000)
Enhanced by the tForumHacks team and the Caravel team.