(RESOLVED) Will it ever be implemented? HTTPS
Discussion
Sprint Champ said:
So given that nothing is going to happen very quickly.
Anyone of you techies suggest a really good password manager program that works on Antroid as well. Heard that Dashlane was good but some recent reviews on there suggested problems with it ?
Nothing is perfect but 1Password and LastPass are decent if you want an easy life and your data syncronised across devices.Anyone of you techies suggest a really good password manager program that works on Antroid as well. Heard that Dashlane was good but some recent reviews on there suggested problems with it ?
Sprint Champ said:
So given that nothing is going to happen very quickly.
Anyone of you techies suggest a really good password manager program that works on Antroid as well. Heard that Dashlane was good but some recent reviews on there suggested problems with it ?
http://keepass.info/Anyone of you techies suggest a really good password manager program that works on Antroid as well. Heard that Dashlane was good but some recent reviews on there suggested problems with it ?
there is also Lastpass but they have been acquired by Logmein
bhstewie said:
Nothing is perfect but 1Password and LastPass are decent if you want an easy life and your data syncronised across devices.
Been using 1password for a few years now, it syncs across an encrypted cloud account (spideroak) to my other machines. Started off using keepass many years ago.Tonsko said:
Been using 1password for a few years now, it syncs across an encrypted cloud account (spideroak) to my other machines. Started off using keepass many years ago.
Thanks and to others for their suggestions. You've moved from keepass to 1password, any particle reason ? PM if private. Sprint Champ said:
Thanks and to others for their suggestions. You've moved from keepass to 1password, any particle reason ? PM if private.
No, it's fine. Keepass (at the time) didn't have any way of synchronising across platforms, so I needed to keep a USB key with me at all times to update stuff and copy it around. I got bored of it after a few years. 1password does it itself (providing you choose a secure cloud platform that you're happy with. I wasn't happy with dropbox, but I am with spideroak).Tonsko said:
No, it's fine. Keepass (at the time) didn't have any way of synchronising across platforms, so I needed to keep a USB key with me at all times to update stuff and copy it around. I got bored of it after a few years. 1password does it itself (providing you choose a secure cloud platform that you're happy with. I wasn't happy with dropbox, but I am with spideroak).
Thanks for that, Cheers GreigM said:
This is what I don't really understand - pretty much all we need is for the login to be https. The rest of the site (inc advertising ste) could be left as-is.
Just the login page is not enough. Using the same methods you'd use to obtain the password, you could obtain the user session ID which will be transmitted with every request after user authentication. Having the user session ID means you can spoof that logged in user without knowing the password, for the duration that session ID is valid.
Once you're spoofing the user of choice, you could change the e-mail address associated with that user account to an e-mail address you own, then hit the 'I forgot my password' button and the password is reset. You now have total control over the account.
I haven't checked, but I strongly suspect that PistonHeads is also vulnerable to other forms of attack such as XSS and CSRF which are equally as important to protect against. Unfortunately, you have to fix quite a bit to make old sites secure, that's why it's not a quick and simple process.
Vaud said:
Yes very much so, however talking about full site HTTPS is, to me at least, a very different issue to having an insecure logon page. The former is desirable biut the latter is absolutely essential.Id also like to make the point that it may be a little unfair to be blaming the developers, who's to say they're not doing exactly what they are told to?
_Exocet_ said:
Just the login page is not enough.
Using the same methods you'd use to obtain the password, you could obtain the user session ID which will be transmitted with every request after user authentication. Having the user session ID means you can spoof that logged in user without knowing the password, for the duration that session ID is valid.
Once you're spoofing the user of choice, you could change the e-mail address associated with that user account to an e-mail address you own, then hit the 'I forgot my password' button and the password is reset. You now have total control over the account.
I haven't checked, but I strongly suspect that PistonHeads is also vulnerable to other forms of attack such as XSS and CSRF which are equally as important to protect against. Unfortunately, you have to fix quite a bit to make old sites secure, that's why it's not a quick and simple process.
Yes but I don't really give a st about my PH account.Using the same methods you'd use to obtain the password, you could obtain the user session ID which will be transmitted with every request after user authentication. Having the user session ID means you can spoof that logged in user without knowing the password, for the duration that session ID is valid.
Once you're spoofing the user of choice, you could change the e-mail address associated with that user account to an e-mail address you own, then hit the 'I forgot my password' button and the password is reset. You now have total control over the account.
I haven't checked, but I strongly suspect that PistonHeads is also vulnerable to other forms of attack such as XSS and CSRF which are equally as important to protect against. Unfortunately, you have to fix quite a bit to make old sites secure, that's why it's not a quick and simple process.
There will be a load of people here using the same email and password for all their logins - that's the critical issue.
_Exocet_ said:
Once you're spoofing the user of choice, you could change the e-mail address associated with that user account to an e-mail address you own, then hit the 'I forgot my password' button and the password is reset. You now have total control over the account.
This doesn't negate your other points but you cannot change your own email address on PH. For some reason, you have to email (from the account you want to change) and request it be done for you. It's like PH is in the dark ages when it comes to the forum.Edited by Funk on Thursday 26th January 00:57
Whilst we are all commenting on this cluster fk.
I'd like to know how our passwords are stored in the PH User DB.
Plain-text or perhaps an MD5 hash?
How many people here are using a password that is totally insecure during transport and furthermore are they using the same password for other sites?
How long before PH gets their entire User DB hacked/stolen? A bit like Yahoo....
I'd like to know how our passwords are stored in the PH User DB.
Plain-text or perhaps an MD5 hash?
How many people here are using a password that is totally insecure during transport and furthermore are they using the same password for other sites?
How long before PH gets their entire User DB hacked/stolen? A bit like Yahoo....
TheExcession said:
Whilst we are all commenting on this cluster fk.
I'd like to know how our passwords are stored in the PH User DB.
Plain-text or perhaps an MD5 hash?
How many people here are using a password that is totally insecure during transport and furthermore are they using the same password for other sites?
How long before PH gets their entire User DB hacked/stolen? A bit like Yahoo....
SHA-2 was mentioned earlier I believe, might even have been this thread TBHI'd like to know how our passwords are stored in the PH User DB.
Plain-text or perhaps an MD5 hash?
How many people here are using a password that is totally insecure during transport and furthermore are they using the same password for other sites?
How long before PH gets their entire User DB hacked/stolen? A bit like Yahoo....
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff