This is a little off topic, but I wanted to post it in the OpenVMS forums because I like the people around here, and wanted you to hear it.
I was posting on a forum and trying to get some help with MS SharePoint development that IтАЩve been doing. Anyhow, I noticed some security flaws in the forum site, mainly the following.
1) Passwords were not encrypted using hashing or one-way encryption. This means anyone with access to the password database (including forum admins) can see user passwords in plain text. One-way encryption is a pretty basic thing, I learned about it when I was a freshman in college. You can allow admins to reset passwords and send users the new ones, but you shouldnтАЩt be sending users their passwords in plain text in an email. These guys were doing exactly that, and thatтАЩs how I knew they didnтАЩt use one-way encryption.
2) In the user profile, changing the password does not require that you supply the old password. Changing the user e-mail address does not require password verification.
As a result, my posts were removed within 10 minutes and my account was disabled within 15 minutes. Extremely unprofessional. Censoring forum posts wonтАЩt make their security problems go away, and security by obscurity always fails eventually.
In case you donтАЩt think the above problems are a big deal, let me lay out a little scenario for you:
We all know that weтАЩre not supposed to use the same passwords over again, but almost everyone does. YouтАЩll make a really strong password with a good mix of letters and digits and special characters, none of them dictionary words. Then what do you do? You use it over and over, because multiple strong passwords are hard to remember and writing them down completely defeats the purpose of having a strong password in the first place. So, say youтАЩre on a business trip and have to use a public computer. You log onto the aforementioned forum with your strong password, and check some technical questions you asked last week. Did I mention the forum has a тАЬremember meтАЭ setting. You usually access the forum from your work computer, so you donтАЩt really notice that itтАЩs turned on. Some blackhat has been looking at your screen from across the room out of curiosity. When you leaves, he goes over and goes to the last site you were at via the History listings of most browsers. He notices that youтАЩre still logged in. He goes to your profile and changes the e-mail address to his after writing down your email address. He then fills out the тАЬforgot my passwordтАЭ form that requires only and email address. Seconds later, your strong password is sitting in his inbox in plain text. He then notices that changing the password doesnтАЩt require user verification, so he changes it and has completely hijacked your account. He googles your name and email address and finds out local banks in your area and begins to try to guess your username, figuring that with such a strong password, you must reuse it.
Security is important, even for sites that donтАЩt store particularly valuable information about the users. Anyhow, IтАЩve been banned from the forum for discussing some pretty basic security topics. Do you folks think I should do anything, try to let other users know? Give me some feedback.
By the way, the URL of the forum is :
http://www.tek-tips.com/This is a much better forum. :)
"It's only funny 'till someone gets hurt, then it's hilarious!"
