Page 1 of 1

No password security on forums

PostPosted: Fri Jun 12, 2015 10:32 pm
Author: tizmo
Hey team,

Is there a reason why the forums do not use any protection for our credentials/passwords when we login and while we are logged in?

1. The login page is "http" not "https", so there is no encryption between my browser and the Avlis forum server.

2. The login page sends my username and password in the clear (plaintext), so anyone watching my network traffic can read them.

3. This also makes me wonder if the passwords are stored in plaintext on the server. I hope not!

It is now standard practice to protect the credentials of website users for a number of good reasons.

Some options would be:

1. Use https to at least protect the users against snooping on the network.

2. Have the browser compute a cryptographic hash (i.e. Bcrypt) of the password and send that over the network instead of the actual password. Also, store the password's hash not the password in the database. Here is an open source PHP library that does secure password handling: http://www.openwall.com/phpass/ . Current versions of PHPBB include the phpass library by default, so it should be easy to implement.

P.S. All users should make certain that their Avlis password is not used on any other site where they care to protect the content.

Thanks,
Tizmo

Re: No password security on forums

PostPosted: Sat Jun 13, 2015 2:46 am
Author: krackq
PBPBB does actually use phpass for hashing passwords in the database. Passwords are never stored plain text.

It's possible to turn on ssl after acquiring a cert but since its never been used, a number of mods and links that currently function on the forum will likely break. It would certainly require testing if we were to go down that route. While using secure http is always a better practice in general, we currently do not sell or take payments, or store any sensitive or PII data.. the closest thing would be birthdate if you choose to enter it. We don't keep names or addresses or anything else like that either. SSL is something to look into at least and what the potential pitfalls and gotchas are.

Your PS statement is good practice as well. As difficult as it might be, you should never reuse passwords between sites or at the very least don't use the same password for the avlis forum that you do for your banking website.. or the same password you log into the game servers with that you do for anything else sensitive. It's just good security practice.