Server Totals
Mikona - (2)
Elysia - (1)
Wilderness - (1)
Ferrell - (0)
Le'Or - (0)
M'Chek - (0)
Deglos - (0)
Visimontium - (0)
Underdark - (0)
Total players: 4
Gallery

Links Menu

No password security on forums

Forum for posing direct questions to the Avlis Team. Purpose is to facilitate Team/Player communication.

Moderators: Nighthawk4, Dungeon Masters

No password security on forums

PostAuthor: tizmo » Fri Jun 12, 2015 10:32 pm

Hey team,

Is there a reason why the forums do not use any protection for our credentials/passwords when we login and while we are logged in?

1. The login page is "http" not "https", so there is no encryption between my browser and the Avlis forum server.

2. The login page sends my username and password in the clear (plaintext), so anyone watching my network traffic can read them.

3. This also makes me wonder if the passwords are stored in plaintext on the server. I hope not!

It is now standard practice to protect the credentials of website users for a number of good reasons.

Some options would be:

1. Use https to at least protect the users against snooping on the network.

2. Have the browser compute a cryptographic hash (i.e. Bcrypt) of the password and send that over the network instead of the actual password. Also, store the password's hash not the password in the database. Here is an open source PHP library that does secure password handling: http://www.openwall.com/phpass/ . Current versions of PHPBB include the phpass library by default, so it should be easy to implement.

P.S. All users should make certain that their Avlis password is not used on any other site where they care to protect the content.

Thanks,
Tizmo

tizmo
CCC
CCC
 
Posts: 1380
Joined: Thu May 19, 2005 2:53 pm
Location: Washington, DC
Timezone: GMT-4

Re: No password security on forums

PostAuthor: krackq » Sat Jun 13, 2015 2:46 am

PBPBB does actually use phpass for hashing passwords in the database. Passwords are never stored plain text.

It's possible to turn on ssl after acquiring a cert but since its never been used, a number of mods and links that currently function on the forum will likely break. It would certainly require testing if we were to go down that route. While using secure http is always a better practice in general, we currently do not sell or take payments, or store any sensitive or PII data.. the closest thing would be birthdate if you choose to enter it. We don't keep names or addresses or anything else like that either. SSL is something to look into at least and what the potential pitfalls and gotchas are.

Your PS statement is good practice as well. As difficult as it might be, you should never reuse passwords between sites or at the very least don't use the same password for the avlis forum that you do for your banking website.. or the same password you log into the game servers with that you do for anything else sensitive. It's just good security practice.
[Celedor Dedwend: [Talk] *turns around and shakes ass before giving it a sharp slap*
Celedor Dedwend: [Party] ((this is my finest RP beyond a shadow of a doubt.. my zenith if you will))
Fydonya Ivythorn: [Party] that's sad celedor..
User avatar
krackq
Jugglebutt Jones
 
Posts: 6773
Images: 1
Joined: Thu Jun 17, 2004 7:30 pm
Location: Maryland, USA
Timezone: GMT-5


Return to The Avlis Project: Ask the Team

Who is online

Registered users: Bing [Bot], Google [Bot]