stijntje Posted February 28, 2019 Posted February 28, 2019 Important security issue you should all be aware of : your password is not encripted on this site, so Michael and any other person who has access to the database, can read it. In other words : any hacker will have access to your email / password combination. How is it possible in 2019 to take such risks as website owner ? Not sure at all I will remain member. thaiophilus 1 Quote
TotallyOz Posted February 28, 2019 Posted February 28, 2019 I cannot see your password. All member information is stored in a database. What stijntje is referring to is when he requests a forgot password, the password is sent to him as opposed to a link to reset the password. In 2019, I assume that every place I type information is stored on their system. I do not use the same password for multiple sites. This site is SSL secured. We pay for that each year and follow industry standards for securing sites. However, I always assume that when I register on a site that the site will have information about me. I know right now I can see every IP from each member, all emails, your browser, etc. I cannot see your password. Quote
Guest Posted March 1, 2019 Posted March 1, 2019 12 hours ago, stijntje said: In other words : any hacker will have access to your email / password combination. How is it possible in 2019 to take such risks as website owner ? How about the users taking a little responsibility ourselves ? I have several e-mail addresses. One is reserved for friends and financial matters. A second is used for general travel, forums etc ( including this one ) A third is used for a sideline business. The 4th and 5th are used for anything I distrust. The password I use here follows a completely different pattern to those used for banking. Therefore, anyone who gets my e-mail & password from here cannot use the info to hack anything of financial value. Quote
Guest Posted March 5, 2019 Posted March 5, 2019 On 2/28/2019 at 4:58 PM, stijntje said: Important security issue you should all be aware of : your password is not encripted on this site, so Michael and any other person who has access to the database, can read it. In other words : any hacker will have access to your email / password combination. How is it possible in 2019 to take such risks as website owner ? Not sure at all I will remain member. I guess it is possible when someone does not understand security protocols! Quote
colmx Posted March 10, 2019 Posted March 10, 2019 On 3/5/2019 at 8:02 PM, Scooby said: I guess it is possible when someone does not understand security protocols! Could you explain it for us so instead of being so belittling to the OP? Vessey and vinapu 1 1 Quote
Guest Posted March 11, 2019 Posted March 11, 2019 Why would you ask me. Michael answered it completely? colmx 1 Quote
thaiophilus Posted July 26, 2019 Posted July 26, 2019 On 3/10/2019 at 8:23 PM, colmx said: Could you explain it for us so instead of being so belittling to the OP? Stijntje is right. Websites that store actual passwords are not secure by today's standards. Anyone at the hosting service where the database is stored can access the passwords of everybody using this site. So can anyone who knows how to hack into the hosting service, and there are plenty of those - see the frequent headlines. Yes, you can mitigate the risk following z909's recommendations (I certainly do!) but even so, someone hostile (and there must be many people who disapprove of this site) could use your credentials to impersonate you here. Best practice "industry standard" 2019-style requires that at a minimum, any site with password access should store not the password but some kind of cryptographic hash of it. When you log in, the system computes the hash from your password, discards the password and compares its hash with the hash in the database. The password itself is never stored anywhere, and if anyone steals the database they cannot easily reverse the hash to recover the password. The fact that the site is SSL secured is irrelevant here - that protects your password against eavesdroppers as you log in, which is good, but it does nothing to protect the password database itself. (Incidentally, SSL hasn't been best practice for the last decade or so, having been replaced by TLS .) Emailing a forgotten password is also anything but best practice, since email is totally insecure, and messages could be read by anyone with access to any of the many routers and switches the email passes through. Bottom line: Any site that can tell you your password if you lose it, can tell anyone else too. Any site that tells you your password by email has also told an unknown number of other people. That's why if you forget a password, most of the sites you interact with today will email you, not the new password but a link to an HTTPS connection to create a new password. They don't tell you the old password, because they don't know it. vinapu, GWMinUS and ChristianPFC 2 1 Quote