Security Issues

This topic contains 3 replies, has 2 voices, and was last updated by  fastdiet 10 years, 4 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)

  • After joining this website, I received an email welcoming me to the website. The e-mail contained my full password. Surely this must have security issues in that anyone can have access to the password and user name. I then checked the site address in my browser and saw that the web address did not have the padlock symbol or start with the web address HTTPS for a secure link after logging in, even after I accessed my profile.

    Fortunately, I do use a different password for every site that requires a password but for those who don’t, it not only puts them in a very vulnerable position in my opinion but without the secure link, any information passing between the site and the user could be intercepted by the unscrupulous people that we know ‘patrol’ the web looking for vulnerabilities to exploit.

    If I have got it wrong about a secure link to this website, I am happy to be corrected but my password appearing in the email is something that needs to be addressed.

    Hi – this is a one off email that can’t be repeated – it’s sent to you (if you request it) as your password is sent to the database for the first time. Once in the database, your password is stored in encrypted format in the database and can’t be accessed in plain text thereafter, so if you forget your password, you are sent a link to re-set it. So your password is secure as your email – this is true with both the re-set password link and the initial email.

    If someone has a lot of trouble with it and asks me for help, I can set them a new password and let them know what it is, but I can’t tell them their old one because it is not possible for me or anyone else to access it as plain text.

    BUT you are completely right that this is something to keep in mind. There are still some sites that store passwords in plain text. The way to check this is follow the “forgot my password” procedure and see if they send you it back. If they do, it’s accessible to other people. If they don’t and instead send a link to re-set your password (or help you re-set your password) then it’s because they don’t have access to it.

    You’re also right in choosing different passwords for different sites. I use 1password, https://agilebits.com/onepassword , but have also heard good things about LastPass, https://lastpass.com/.

    I also recommend setting up two factor authentication for everything you possibly can, especially email accounts which are used for password re-set emails. Here are instructions for Google: https://support.google.com/accounts/answer/180744?hl=en and other large email companies have the same — here is a list of where you can enable it: http://twofactorauth.org/

    We are in the process of making the site ssl and it’s already continually monitored for security breaches.

    I have to apologise for slipping into the generic “You” – I think you (the specific you) probably know all this. But it’s interesting and an excellent topic of discussion and this is a great opportunity to talk about it and get people informed.

    Instead of waffling on more, let me know if you have any other questions.

    Oh! Also: if anyone is on eBay, please re-set your password now, their database was hacked.

    Thank you for your response which clears up the query I had.

    Ebay: Yes I use their website and heard from the BBC that they had been hacked. Changed my password last night for that site.

    Also, I have in the past bought products from Adobe and guess what, a few months ago they got hacked too! I hope this shows that I wasn’t being pedantic but had a genuine cause for concern having had accounts with two supposed secure websites that have been hacked within the last few months. Perhaps I should change my username to ‘Lucky’

    I’m glad – if you have any others, please do ask. I may not tell you everything about the site* but will answer. 🙂

    One thing everyone affected by the eBay, Amazon or other breach needs to do is change passwords on all other sites where they’ve used the same password.

    Here’s Reuters on the eBay hack: http://www.reuters.com/article/2014/05/21/us-ebay-password-idUSBREA4K0B420140521

    And I completely agree that you’re not being pedantic! (I’m also hoping a lot of people read this and change their passwords on sites…)

    *I know that obscurity isn’t security but hope it’s understandable to not post a road map!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply.