PDA

View Full Version : Is loveforum login really secure?



anachronistic
28-05-08, 04:06 AM
<form action="http://www.loveforum.net/login.php?do=login" method="post" onSubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">

I never really bothered to look until just now. How come SSL isn't being used? Or HTTPS? Is md5hash really secure?

:upset:

Gigabitch
28-05-08, 04:10 AM
No idea. I just do stuff on the front end, not the back end.

anachronistic
28-05-08, 04:13 AM
Completely understandable, I am expecting an answer from loveadmin, because I doubt any moderators deal with server-end applications.

Also expecting some debate from technical users who know a bit about that.

My understanding is that MD5 is quite insecure, and I am just suggesting that SSL/HTTPS be used instead.

IndiReloaded
28-05-08, 05:59 AM
Not a direct answer, but a caution for the unwary:

Nothing you commit to the internet should be considered secure. Emails can be read by system admins, IP addressses can be traced (sometimes), that sort of thing. There are ways to check who's looking (we look periodically to see who has pinged our computers) & its sometimes interesting to see what you find.

Its that old saying: if you don't want to be held accountable for saying it, don't say it.

anachronistic
28-05-08, 06:46 AM
Words of wisdom from Indi; of course precautions should be taken into consideration. But what I am getting at is even more important; the user login of the forum uses an algorithm of cryptography, called MD5, which is known for its simple vulnerabilities. Its hashes are easily decoded, because they are very simply encrypted. What does this mean? Well, someone that knows what they are doing could phish a page to you, because it is not HTTPS, and get your username and password. They could also retrieve the hash of the username/password and decrypt it, and have access to your account here (and possibly other websites, and more personal information if you use the same password for everything)

As I recall, this has happened already with one account (Dono) and vulnerability remains open.

I am just looking out for this community by examining the issue. Time and time again in my experience as a server specialist and web designer, my opinion is that users tend to use the same username/password for everything. I am informing the public about this, and hopefully they will make any necessary changes, to ensure their security, but it is not guaranteed.

I also think it is the duty of administrative staff, even moderators on forums, to do everything they can, within reasonable boundaries, to eliminate any such problems. Why? Well, that is how the successful websites do it. The mindset of "Pfft, well that's just how the Internet is," is somewhat hindering, because it is, in a way, avoiding a problem. Sure, that's how the Internet is now, but it is not adamant. It can be changed, for the better, or for the worse. I am here to make it for the better, as I see it. Don't you want that? Don't you care?

And from a philosophical point, nothing in this world is secure. Nothing is symmetrical. So this lesson can be applied to actual life, too. I am actually writing about that in my freetime. A life of independence is a perfect one.

Oh, and I want to be recognized for the things I say. Even on here. I take full credit for all of it, but unfortunately, some sneaky bastard will probably take that away from me. Oh well. Hopefully what I said was so cleverly toned and original, that nobody could ever imitate it and call it their own. HA! :D

Kiechi
29-05-08, 08:28 PM
I don't think anyone really cares to be honest.

loveadmin
29-05-08, 08:54 PM
Sorry for the late answer. Just to assure everyone that the login is secure.

Illusional
30-05-08, 10:22 AM
yup, i don't really care. that's why i have a million and one passwords.. i have to write everything down to keep track of them. of course i lock them in my safe that has the same combination as my birthday so that i will never forget it. i'm all good.

raverboy

lesa
04-06-08, 10:07 AM
yup, i don't really care. that's why i have a million and one passwords.. i have to write everything down to keep track of them. of course i lock them in my safe that has the same combination as my birthday so that i will never forget it. i'm all good.

raverboy

lol. Your SO, family, or friends can break into home and get it.

loveadmin
04-06-08, 04:04 PM
yup, i don't really care. that's why i have a million and one passwords.. i have to write everything down to keep track of them. of course i lock them in my safe that has the same combination as my birthday so that i will never forget it. i'm all good.

raverboy

Just wonder is rboy drunk while writing this? :D

Illusional
05-06-08, 09:57 AM
i probably was drunk when i wrote that. or atleast i thought i was.

raverboy

anachronistic
06-06-08, 10:14 AM
I never pictured raverboy as such a paranoid. Tell me, raverboy, do you insert your butt plug every day to keep yourself on your toes?

Anyway, I actually just used md5 to encrypt a user database on a website I am designing; first I encrypt it with md5, and then it is encrypted again with the MySQL encryption. And then the login uses SSL for maximum security.

Illusional
07-06-08, 10:34 AM
I never pictured raverboy as such a paranoid. Tell me, raverboy, do you insert your butt plug every day to keep yourself on your toes?

Anyway, I actually just used md5 to encrypt a user database on a website I am designing; first I encrypt it with md5, and then it is encrypted again with the MySQL encryption. And then the login uses SSL for maximum security.

paranoid?? i only keep my butt plug in because i'm worried that gay people like you want to stick your thing up my ass.

raverboy

TAVS
09-06-08, 10:40 AM
MD5 is definitely secure, but you still have to use a somewhat complex password. If you use the word apple, for example, it wouldnt be that hard to figure out even with md5. But there is one thing to always keep in mind, on any site ask yourself, is someone really going to spend that much time and that much computing power to try and access your account on said site. I can bet nobody is going to put in such effort to get your loveforum pass

loveadmin
10-06-08, 10:18 PM
MD5 is definitely secure, but you still have to use a somewhat complex password. If you use the word apple, for example, it wouldnt be that hard to figure out even with md5. But there is one thing to always keep in mind, on any site ask yourself, is someone really going to spend that much time and that much computing power to try and access your account on said site. I can bet nobody is going to put in such effort to get your loveforum pass

TAVS! long time never see you here.

Our server is going move to denver, colorado very soon. I bet you will get a good ping from your home next week onward. :D

TAVS
11-06-08, 11:50 AM
Hey There LA. Thats cool. I know I havent been around a lot, I'm busy building my own Internet empire and its taking all my time :D

Cain
13-06-08, 02:05 PM
The Hash definitely secures things. The passwords are scrambled when they are entered. They aren't even stored inside the MySQL database as the same as they are when entered. They are all scrambled code.

SSL certificates are usually only purchased when security could be detrimental, such as credit cards and social security numbers.

anachronistic
13-06-08, 05:17 PM
The Hash definitely secures things. The passwords are scrambled when they are entered. They aren't even stored inside the MySQL database as the same as they are when entered. They are all scrambled code.

SSL certificates are usually only purchased when security could be detrimental, such as credit cards and social security numbers.

Purchased? Well if you can't set the shit up yourself with openSSL

Cain
14-06-08, 03:42 AM
OpenSSL is just a program, not a certificate authority. OpenSSL just generates a self-signed certificate without any forms of verification. A certificate authority like Thawte and Verisign actually verify that the owner of the site is where the information is being sent to.

Regardless, that is only needed for the prevention of snooping of private information. As I mentioned the passwords are hashed into a mixture of characters when put into the SQL database. Loveadmin wouldn't be able to even see what anyone's password is.

Kerbey.Moor
13-01-09, 12:35 AM
answer is no