Guys... Please... Tighten up Your security policies on the forum...

[AndrzejL]

Hi Folks.

My name is Andrzej and I am a paranoid dude... I am also a user of Your free AV for Linux, and before that I was using Your free product on Windows... and I love it... and I have been recommending it to friends and family... And I think You guys are doing something wonderful. You care about users security on the internet and You do it free of charge... And this is why I feel compelled to do this...

I registered here yesterday and I have a few security tips for the forum admins...

First... Why on earth would somebody send me my password after I registered, in plain text, via e-mail in the confirmation letter?

A) If I was not paranoid and if I was not always using SSL between my Thunderbird and e-mail provider someone could "listen" to the content of the letter and get my password.

B) If You can send me the e-mail with the plain text password in it (I am afraid to ask) does it means that the e-mail is STORED in plain text format in Your database? DUDE!

C) If I didn't changed the password immediately after noticing this and someone ever took over my e-mail - they would get the password to this forum on the silver platter... and they could do nasty things... Now at least they have to go into trouble of going to Your forum, clicking the "I forgot my password" button and waiting for the e-mail that will allow them to change the password to something they chose before spamming the forum with little blue pill ads...

D) This meant for me (and possibly other users too) - changing the password as soon as I have registered which meant extra work and time...

Conclusions? This is a BAD security practice. If I have registered with the forum - I entered a password and I probably remember what it was (or have it stored in LastPass or other secure password manager)... Why sending it to me in plain text? That's so 90's... If I cannot remember the password I will use the password reminder. I am not gonna tell You to hash and salt Your passwords in the database... you should know about it better then I do...

I hope that You will change that folks...

Another thing - the "Hide my e-mail from public" box... It's not ticked by default... This is another bad security practice...

Let's say a bunch of complete noobs registers at the forum and they have NO idea about the internet security routines. Heck they are probably giving their e-mail addys to the spammers for free just so they could get their first e-mail letter and to be "cool cats"... I know... If they don't care... BUT guys - You are a security related bunch. You should know better... It's like Windows XP and their Firewall allover again... Windows XP had firewall disabled by default... for all network interfaces. After they were flooded with complaints they released (I think Service Pack 2 was first) cds with firewall turned on by default. I mean... This is big... By not having the box ticked by default You are supplying spammers with e-mail addys (all they have to do is register and start harvesting) and I am betting my vital organs - You do not want to be associated with thing like this...

Third and last part is about the registration process... I used very complicated password:

Code: [Select]

K"b^+yd(49f%4,c9h\ywNXZ=qnw\Dm@F*/)jJM+5/BR*+}%oKEz1*wE+DqA&vuT
Yes that's the actual password that I have used (or at least that's the password sent to me in the confirmation letter - I never compared it with the password that I have used during registration process). It's been changed since then and I always use different random passwords for the sites I am registering with so I don't care if someone sees it. Problem is that Your registration script is somehow changing some of the characters in the password and it allowed me to use it in the registration process BUT it would not let me log in with it.

I had to use different - less complicated password. It's still very strong BUT some of the characters had to be excluded in the password generating process. I am not sure what's wrong there but it would be good to give users know that some characters are not allowed in the passphrase. Oh You get the point.

Please do not hate me. I do not meant any offense but it's like not telling Your best friend that she / he left her / his front door wide open before he / she went abroad for 3 weeks and then act surprise when You realize he / she got robbed and all their valuables are gone... OR like not telling a child to not to play with electric socket and then crying at the funeral. It's "you could have done something and yet You chose to be a wuss" story. Well I am deciding to tell You about this. Please tighten up Your security policies on the forum folks. You will do what You want and I won't feel guilty.

Regards.

Andy

P.S. I see that You are filtering the v word. Good one. I like that . I also like the fact that You don't allow to browse user profiles by the not registered folks. Great!

[Gargamel360]

You know, even if I had not seen your other post about your tutorial, I would have all but known you are a Linux guy.

I'm not against any of your ideas (nor would it matter if I was since I'm not forum admin.) but you have to admit.....well, actually, you already kind of did....that your ideas stray a bit to the paranoid side.  Example; Using SSL for email is not at all paranoid, that just makes good sense....changing a forum password that was sent to you in plain text, despite the fact that you are using SSL yourself.....thats over the paranoid edge, imo, no offense intended.    And that password....people laugh at me all the time when I explain how I use Case sensitive/Numbers/Symbols/16 character minimum for my passwords.....congrats on making me feel inadequate with that corporate-level pass.

As far as "B" goes....well, I'm with you there, I assume its not stored in plain text ....see, now you are making me paranoid

As for "C"....spam comes all the time anyway (though drastically less since they finally run a SPAM filter), they don't need to hijack your account to do it....there isn't even a captcha (you missed that one ).  I have yet to witness a single account hijack in my 2 years around here.

As for the "hide the email" being on by default rather than off, that would be nice, you are far from the first to suggest it.

[SafeSurf]

I agree with both of you.  AndrzejL, you're not the first person to point out what you did under "A."  In fact many other companies (financial institutions included!) do it as well which is more dangerous IMO.  I also change my password as a precaution.

Gargamel360's responses to your other comments are correct.  And I agree that the "Hide the Email" should be the default because we've had to remind many newbies about changing this because they did not know any better.

We encourage users like you to offer suggestions, so thank you for pointing them out.   

[spg SCOTT]

Regarding the password sending issue, I am not sure that smf allows for it to be sent in any other way.

Looking briefly at the smf forum, it seems that this is the case. I could be wrong though since the topicsI found were froma few years ago, and that may have changed since then.

I do agree that it is less than ideal though.

The displaying of the email address annoys me too, not only should it be set to not show it, but it also users as the email icon is still shown next to their post (it doesn't show for everyone else, but how does the user know that?)

[RejZoR]

Ever thought you're a bit too paranoid? You can send password in HTML form but what have you done with that? Not much really. Besides, many forums and services send passwords like this to the user. Far more sensitive ones than public forum service. Your password is also heavily exaggerated. Do you really need 30+ characters long full ASCII password for a forum? It's like firing off a nuke to light up your cigarette. 10+ alphanumeric pass with dash or underscore is way more than most would use anyway. And hiding e-mails. I have my mail public ever since i signed up for GMail service and i couldn't care about it. I get spam but it gets packed in its folder. So i don't really care.

[AdrianH]

Frankly I think this is all baloney.

1) Many site/forum accounts are set up in exactly this way and it has never been a problem. The passwords in all the forum software I have run have always been encrypted and inaccessible to anyone,staff included.

Most sites/forums that send an email of this type tell you (and this is plain common sense) to change your password after registration, just as they do with the lost password process.

2) Hide email address bad security?  No this is CHOICE many people want to have their email visible, personally I don't and on any site I join I check the privacy settings, it takes but a few seconds to do and if someone is that paranoid about security and spam why the heck are you using your personal email address anyway?
I keep a couple of webmail addresses for all registrations at mail.com, these have blocking facilities for the bad sites and keep my personal address clear for those I want to give it to.
What would you do on a forum where the admin insists upon and forces an email address to be displayed?

[YoKenny]

Another thing - the "Hide my e-mail from public" box... It's not ticked by default... This is another bad security practice...

Only you and the forum Moderators can see your e-mail address.

[bob3160]

And I thought our friend Polonus was paranoid    

[AndrzejL]

You know, even if I had not seen your other post about your tutorial, I would have all but known you are a Linux guy.

I'm not against any of your ideas (nor would it matter if I was since I'm not forum admin.) but you have to admit.....well, actually, you already kind of did....that your ideas stray a bit to the paranoid side.  Example; Using SSL for email is not at all paranoid, that just makes good sense....changing a forum password that was sent to you in plain text, despite the fact that you are using SSL yourself.....thats over the paranoid edge, imo, no offense intended.   And that password....people laugh at me all the time when I explain how I use Case sensitive/Numbers/Symbols/16 character minimum for my passwords.....congrats on making me feel inadequate with that corporate-level pass.

As far as "B" goes....well, I'm with you there, I assume its not stored in plain text ....see, now you are making me paranoid

As for "C"....spam comes all the time anyway (though drastically less since they finally run a SPAM filter), they don't need to hijack your account to do it....there isn't even a captcha (you missed that one ).  I have yet to witness a single account hijack in my 2 years around here.

As for the "hide the email" being on by default rather than off, that would be nice, you are far from the first to suggest it.

Hi Dude.

I really enjoyed reading Your response. No offense taken. You also raise some good points. Missing captcha in the registration process... DUH!... I completely forgot about this... I should stop posting at 4 30 am...

I agree with both of you.  AndrzejL, you're not the first person to point out what you did under "A."  In fact many other companies (financial institutions included!) do it as well which is more dangerous IMO.  I also change my password as a precaution.

Gargamel360's responses to your other comments are correct.  And I agree that the "Hide the Email" should be the default because we've had to remind many newbies about changing this because they did not know any better.

We encourage users like you to offer suggestions, so thank you for pointing them out.    

Thanks very much for Your reply.

Last night forum was very slow and I was trying to get to the Control Panel of my account and tick that dang box and I couldn't. After about 45 minutes I finally got it done... 45 minutes is plenty of time really for any of the registered bots (if there are any) to harvest it... The only consolation was that if forum was so slow for me - it was slow for them as well... and that I haven't posted anything yet.

Regarding the password sending issue, I am not sure that smf allows for it to be sent in any other way.

Looking briefly at the smf forum, it seems that this is the case. I could be wrong though since the topics I found were from a few years ago, and that may have changed since then.

I do agree that it is less than ideal though.

The displaying of the email address annoys me too, not only should it be set to not show it, but it also users as the email icon is still shown next to their post (it doesn't show for everyone else, but how does the user know that?)

My question is - why sent the password in any form at all?

Displaying the e-mail / e-mail icon for the user that owns the account is a completely different story. I understand Your point and I agree with it however this is how SMF works and this cannot be changed by the admins of the forum unless they re-write some SMF code. Believe me or not - I was confused seeing the e-mail icon being still there (on another forum) after I ticked the box so... yeah I know what You are saying. Changing the icon the grayish when e-mail is hidden for public and adding (Hidden) in the profile of the user next to their e-mail addy would be something SMF could do some work on but like I said. Our admins cannot change it from the forum admin control panel as far as I know.

Ever thought you're a bit too paranoid? You can send password in HTML form but what have you done with that? Not much really. Besides, many forums and services send passwords like this to the user. Far more sensitive ones than public forum service. Your password is also heavily exaggerated. Do you really need 30+ characters long full ASCII password for a forum? It's like firing off a nuke to light up your cigarette. 10+ alphanumeric pass with dash or underscore is way more than most would use anyway. And hiding e-mails. I have my mail public ever since i signed up for GMail service and i couldn't care about it. I get spam but it gets packed in its folder. So i don't really care.

No I never thought about being bit to paranoid... I didn't know paranoia came with degrees... Now that I think about it... I think I could get my masters or phd in it... Which changes nothing really but since You mentioned it...

Makes no difference to me if the e-mail is html / plain text formatted... Anyone listening to the network (sniffing) can hear it's content and hence my question (like I mentioned above) is WHY send it at all... What good comes from it?

Well I am sorry... If many of Your friends decided to jump from cliff without parachute and kill themselves would You do it too just because many of them did? I know... I know... If I was standing behind You nagging You might consider that... Actually that's the first forum that I registered with that did it...

About the password length... Wow... Really?

I understand that some users don't care about the security. Fine... But is that the reason we should all stop caring about it or decrease the level of the security for all users? I don't think so.

Yes my passwords are long and complicated. Yes I use different password for every single service that I use. Yes I am using many different security precautions... Is that a bad thing? Well... Security oriented online policies are like condoms... It's better to have it and not to need it then need it and not to have it...

I am not sure if the indifference is better then paranoia when dealing when online security... Time will tell.

Frankly I think this is all baloney.

1) Many site/forum accounts are set up in exactly this way and it has never been a problem. The passwords in all the forum software I have run have always been encrypted and inaccessible to anyone,staff included.

Most sites/forums that send an email of this type tell you (and this is plain common sense) to change your password after registration, just as they do with the lost password process.

2) Hide email address bad security?  No this is CHOICE many people want to have their email visible, personally I don't and on any site I join I check the privacy settings, it takes but a few seconds to do and if someone is that paranoid about security and spam why the heck are you using your personal email address anyway?
I keep a couple of webmail addresses for all registrations at mail.com, these have blocking facilities for the bad sites and keep my personal address clear for those I want to give it to.
What would you do on a forum where the admin insists upon and forces an email address to be displayed?

Thanks for posting Your opinion.

Another thing - the "Hide my e-mail from public" box... It's not ticked by default... This is another bad security practice...

Only you and the forum Moderators can see your e-mail address.

Are You sure? I just checked and I can see RejZor's e-mail addy for example and I a not a forum moderator...

And I thought our friend Polonus was paranoid    

I have no idea who polonus is but I am also known online as Paranoid_Pole...

Thank You all for Your replies.

As I expected some of You agree with me and some of You don't... That's normal and perfectly predictable.

I wrote what I wanted to write and at least my conscious is clean. I did what I could.

Remember one thing just because You are paranoid it does not mean that they are not out there to get You...

Regards.

Andrzej

[!Donovan]

Another thing - the "Hide my e-mail from public" box... It's not ticked by default... This is another bad security practice...

Only you and the forum Moderators can see your e-mail address.

Are You sure? I just checked and I can see RejZor's e-mail addy for example and I a not a forum moderator...

I think this answers your question:

And hiding e-mails. I have my mail public ever since i signed up for GMail service and i couldn't care about it. I get spam but it gets packed in its folder. So i don't really care.

And I thought our friend Polonus was paranoid    

+10

[AndrzejL]

Another thing - the "Hide my e-mail from public" box... It's not ticked by default... This is another bad security practice...

Only you and the forum Moderators can see your e-mail address.

Are You sure? I just checked and I can see RejZor's e-mail addy for example and I a not a forum moderator...

I think this answers your question:

And hiding e-mails. I have my mail public ever since i signed up for GMail service and i couldn't care about it. I get spam but it gets packed in its folder. So i don't really care.

Actually it does not...

My point was that the e-mail is accessible for anyone registered if the box is not ticked. The box is not ticked by default and hence by default anyone registered can see Your e-mail address. Now I would prefer it to be the other way around... If You want to show Your e-mail to public un-tick the box after You have registered.

Another way of making it work would be to give users this option during the registration process...

Regards.

AndrzejL

[!Donovan]

Another thing - the "Hide my e-mail from public" box... It's not ticked by default... This is another bad security practice...

Only you and the forum Moderators can see your e-mail address.

Are You sure? I just checked and I can see RejZor's e-mail addy for example and I a not a forum moderator...

I think this answers your question:

And hiding e-mails. I have my mail public ever since i signed up for GMail service and i couldn't care about it. I get spam but it gets packed in its folder. So i don't really care.

1 - Actually it does not...

2 - My point was that the e-mail is accessible for anyone registered if the box is not ticked.
3 - The box is not ticked by default and hence by default anyone registered can see Your e-mail address.
4 - Now I would prefer it to be the other way around... If You want to show Your e-mail to public un-tick the box after You have registered.

5 - Another way of making it work would be to give users this option during the registration process...

1 - RejZoR choose to have his email shown on the forums
2 - True
3 - True
4 - That would be beneficial for a new user, as they wouldn't have to worry about changing their profile before posting about their security issue *if they have one at all).
5 - That would be more sufficient

This board is powered by SMF, though, the admins would probably have to ask them for a special deal or something to change the settings if they can't do it in their control panel.

[AndrzejL]

4 - That would be beneficial for a new user, as they wouldn't have to worry about changing their profile before posting about their security issue *if they have one at all).

Thank You. My point exactly .

Regards.

Andy

[AndrzejL]

Yeah... And if anyone missed that... thouriVurrent was a spambot and the site that he posted a link to was... I am not gonna tell You...

Regards.

AndrzejL