Jump to content
stijntje

Michael has access to your password

Recommended Posts

Important security issue you should all be aware of : your password is not encripted on this site, so Michael and any other person who has access to the database, can read it. 

In other words : any hacker will have access to your email / password combination.

How is it possible in 2019 to take such risks as website owner ?

Not sure at all I will remain member.

Link to comment
Share on other sites

I cannot see your password. All member information is stored in a database. What stijntje is referring to is when he requests a forgot password, the password is sent to him as opposed to a link to reset the password. In 2019, I assume that every place I type information is stored on their system.  I do not use the same password for multiple sites. This site is SSL secured. We pay for that each year and follow industry standards for securing sites. However, I always assume that when I register on a site that the site will have information about me. I know right now I can see every IP from each member, all emails, your browser, etc.  I cannot see your password.  

Link to comment
Share on other sites

12 hours ago, stijntje said:

  In other words : any hacker will have access to your email / password combination.

How is it possible in 2019 to take such risks as website owner ?

How about the users taking a little responsibility ourselves ?

I have several e-mail addresses.  One is reserved for friends and financial matters.

A second is used for general travel, forums etc ( including this one )

A third is used for a sideline business.

The 4th and 5th are used for anything I distrust.

The password I use here follows a completely different pattern to those used for banking.

Therefore, anyone who gets my e-mail & password from here cannot use the info to hack anything of financial value.

 

Link to comment
Share on other sites

On 2/28/2019 at 4:58 PM, stijntje said:

Important security issue you should all be aware of : your password is not encripted on this site, so Michael and any other person who has access to the database, can read it. 

In other words : any hacker will have access to your email / password combination.

How is it possible in 2019 to take such risks as website owner ?

Not sure at all I will remain member.

I guess it is possible when someone does not understand security protocols!

Link to comment
Share on other sites

On 3/10/2019 at 8:23 PM, colmx said:

Could you explain it for us so instead of being so belittling to the OP?

Stijntje is right. Websites that store actual passwords are not secure by today's standards. Anyone at the hosting service where the database is stored can access the passwords of everybody using this site. So can anyone who knows how to hack into the hosting service, and there are plenty of those - see the frequent headlines.

Yes, you can mitigate the risk following z909's recommendations (I certainly do!) but even so, someone hostile (and there must be many people who disapprove of  this site) could use your credentials to impersonate you here.

Best practice "industry standard" 2019-style requires that at a minimum, any site with password access should store not the password but some kind of cryptographic hash of it. When you log in, the system computes the hash from your password, discards the password and compares its hash with the hash in the database. The password itself is never stored anywhere, and if anyone steals the database they cannot easily reverse the hash to recover the password.

The fact that the site is SSL secured is irrelevant here - that protects your password against eavesdroppers as you log in, which is good, but it does nothing to protect the password database itself. (Incidentally, SSL hasn't been best practice for the last decade or so, having been replaced by TLS  ;).)

Emailing a forgotten password is also anything but best practice, since email is totally insecure, and messages could be read by anyone with access to any of the many routers and switches the email passes through.

Bottom line:

Any site that can tell you your password if you lose it, can tell anyone else too.

Any site that tells you your password by email has also told an unknown number of other people.

That's why if you forget a password, most of the sites you interact with today will email you, not the new password but a link to an HTTPS connection to create a new password. They don't tell you the old password, because they don't know it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...