Secure Authentication for password

I, as I'm sure many others, use the same password for different websites and often access RHP using unsecured wireless connections.

It would be nice if the password was encrypted rather than sent in plain text. (Disregard if this is already the case but is transparent to the user.)

Originally posted by bosintang
I, as I'm sure many others, use the same password for different websites and often access RHP using unsecured wireless connections.

It would be nice if the password was encrypted rather than sent in plain text. (Disregard if this is already the case but is transparent to the user.)

Why should RHP be responsible for people's lack of network security?

People hacking into your online chess account should be the least of your worries if you're running the HUGE risk of using unsecured wireless networks.

*Using* (rather than operating, that's a different story) unsecured wireless networks is not a huge risk at all if you are careful what you do. Like it or not, they are standard in airports, coffee shops, and other public businesses around the world, and if you have a laptop, you'll probably want to take advantage of them.

Anyways, I only mentioned unsecured wireless networks because they are the most extreme example. The nature of the internet is that you have to assume that anyone can see your "conversation" between your computer and the computer you are talking to (in this case RHP). If using a wired network is the equivalent of whispering, an unsecured wireless network is shouting. "Hacking" is nothing more than anyone running a computer program in the vicinity of you and "listening" in on the information you pass between your computer and RHP.

Now, websites should know this. When you do your banking online or use secure email, the webpage you are viewing encrypts everything before you send it across the network. Likewise, they encrypt any information before they send it to you. Anyone listening in on your conversation with your online bank will only see gobbly-gook. You know they are using encryption because in your web browser you will see a little 'lock' symbol or the URL will turn yellow.

Again, they make no assumptions about the network you are using and assume the worst, that people ARE listening in on your conversation. The user should assume the same anytime they use the internet.

As another example, let's take https://www.facebook.com/login.php. Notice the 's' in https, signifying that it's using a secured connection. Facebook only encrypts the password, and after I log in, anyone listening in on my conversation can see what pictures I'm viewing and uploading, what I'm writing on people's walls, etc.; however the main thing is they can't see my password.

That is all I'm asking of RHP here. I don't care if people see what I'm doing on RHP, but it would be nice if they protected my sensitive information like my password by encrypting it.

Originally posted by bosintang
*Using* (rather than operating, that's a different story) unsecured wireless networks is not a huge risk at all if you are careful what you do. Like it or not, they are standard in airports, coffee shops, and other public businesses around the world, and if you have a laptop, you'll probably want to take advantage of them.

Anyways, I only mentioned uns ...[text shortened]... they protected my sensitive information like my password by encrypting it.

As the old saying goes, there's more than one way to skin a cat. Just because there's not a separate, secure login page it doesn't automatically mean sensitive information like passwords aren't encrypted.

The site's login system is built through PHP session variables, which means the only real danger of having your account hacked is if someone is specifically sniffing your network traffic and catching your cookie during the initial login process. Obviously, there's no way of knowing for sure but as both the site Administrators are qualified designers, I'm sure they're well aware of that and have accounted for it. My money is on them having md5 encryption on the password when setting the users session and having the login form action under https.

Originally posted by Daemon Sin

The site's login system is built through PHP session variables, which means the only real danger of having your account hacked is if someone is specifically sniffing your network traffic and catching your cookie during the initial login process.


Well this is the problem. This is not a difficult thing to do.

My money is on them having md5 encryption on the password when setting the users session and having the login form action under https.

I'm not an expert and I could be missing something, but using Tamper Data and firefox, I tested this by monitoring my HTTP packets. The POST request after I entered my username and password is an http request, not https. Both the username (email) and password are plain text and anyone monitoring traffic between our computers and RHPs server is able to see these. If the password is encrypted with MD5 on the server-side, that's good for storing the password but it doesn't help prevent someone from intercepting it.

If I'm missing something, perhaps someone could shed some light.

Originally posted by bosintang
I, as I'm sure many others, use the same password for different websites and often access RHP using unsecured wireless connections.

It would be nice if the password was encrypted rather than sent in plain text. (Disregard if this is already the case but is transparent to the user.)

so you've just announced to all and sundry, on what you feel is an unsecure connection, that your RHP password is the same password that you use for all the different websites you use...

and you're worried about security?

am i the only one to see the irony in this?

Originally posted by notmyrookplease
so you've just announced to all and sundry, on what you feel is an unsecure connection, that your RHP password is the same password that you use for all the different websites you use...

and you're worried about security?

am i the only one to see the irony in this?

What I feel is an unsecured connection is the entire internet. I'm sorry I brought up the unsecured wireless, that was just one example, but the medium really does not matter. Any non-encrypted information that is passed over the internet is NOT secured and it should be assumed that any information you send will be seen by people who are not supposed to be privy to it.

I'm not wearing a tinfoil hat and predicting the apocalypse here. This should be fundamental to anyone with even a basic computer science background

Anyways, don't worry about me. This is not about me, this is about RHP. Asking that passwords be authenticated over https instead of http is not an unreasonable request.

Originally posted by bosintang
What I feel is an unsecured connection is the entire internet. I'm sorry I brought up the unsecured wireless, that was just one example, but the medium really does not matter. Any non-encrypted information that is passed over the internet is NOT secured and it should be assumed that any information you send will be seen by people who are not supposed to b ...[text shortened]... ng that passwords be authenticated over https instead of http is not an unreasonable request.

Isn't it quite expensive to use verisign or an equivalent?

What I do re passwords is use a couple of base passwords, and then derivations of those. If I feel that a site isn't trustworthy (for whatever reason), I'll make up a new pass and if I forget it, then I'll simply get a reminder sent to me.

I'd never use a password which I use for banking, etc for an unsecured log-in like RHP.

D

Not sure why bosintang is getting such a hard time on this. Usernames and passwords shouldn't be passed in the clear and his research shows that's what RHP is doing. It's entirely reasonable to ask the admins to code the username/password submission to use https and I fully support this request.

I'm sure it's somewhere on Russ's loooong To-Do list. One of those things that's not so big a deal when there are only a hundred or so people who even know about the site, so I can see why it wasn't a priority back when the site was first put up. But now that there are thousands of paying subs, it should probably be bumped up the list a bit.

Originally posted by bosintang
I, as I'm sure many others, use the same password for different websites

And that's your problem. If it's important to you, give it a unique, hard to guess password. If it's not important, feel free to use "secret" and announce to all the world that that's what you're using for everything; but don't complain when someone makes use of your own lack of a proper password.

Richard (who thinks RHP is mildly important, and therefore uses a unique, but cryptographically trivial password. And no, it's not "secret".)

Originally posted by Shallow Blue

Richard (who thinks RHP is mildly important, and therefore uses a unique, but cryptographically trivial password. And no, it's not "secret".)

53cr3t?

D