A CAUTION re forum-signup / web security

Post any general comments regarding Bulk Rename Utility here. Open to all registered users.

A CAUTION re forum-signup / web security

Postby AutomationMan » Thu Oct 23, 2014 3:26 am

Attn: Admin
Is there some way either I can contact the Forum admin privately or can they contact me privately to discuss issues around the security and useability of the Forum sign-up process please.
Working as an I.T. Integration Analyst I have a security concern regarding the authentication email and the execution of the validation link also needs some re-visitation I believe.

You should have access to my email address through my profile otherwise one method of staying private might be for You to post a comment with a more private contact method, on my latest blog post and I'll just delete it without publishing that comment ... if that would work for you.
[http://ttlinkdiscussion.blogspot.com.au/2014/10/orange-oil-cleaners-work-as-well-or.html]
Alternatively, refer to my blog Follow me.

email or Skype preferred but could call a phone # if required.

Regards CS
Last edited by AutomationMan on Mon Nov 03, 2014 4:06 am, edited 1 time in total.
AutomationMan
 
Posts: 2
Joined: Thu Oct 23, 2014 1:58 am

A CAUTION to users re forum-signup / web security

Postby AutomationMan » Mon Nov 03, 2014 1:35 am

I had hoped one of the forum admins would contact me to discuss the security of this bulletin board but unfortunately none did.
So by way of a belated caution to those whom have already signed-up, please consider the following.

Many forum users may not be concerned, but the fact that when each of us signed up, our initial password was sent back to us as unencrypted plain text emails, is poor practice in today's privacy-compromised and hacker-prevalent world!

Certainly, common sense dictates that you should never sign-up to sites using a password which you plan to retain, or use on other sites, however, there are still issues with this practice:
  • Many would enter their initial password perhaps expecting it to be their password-of choice until required to update it, thus NOT making it some careless choice of characters, soon to be replaced.
  • After receiving their affirmation emails with their passwords now in plan text, many probably won't bother updating them immediately, leaving their forum accounts open to abuse.
  • Most are challenged by having too many passwords to remember, so tend to use "common" or "shared" passwords across 'protected' sites
  • It is also common practice to use password patterns (e.g. QwErTy1@3$5^ vis QWERTY 123456 with alternates case-shifted) ... seeing these in plain text helps a hacker target an individual, by then trying all case-shifted combinations to access that person's (other) accounts
  • Publishing passwords in plain text like this makes hacker dictionaries so much easier to compile or expand, simply by harvesting the data streams of sites (such as this forum) where plain text passwords are known to be transmitted
... so if nothing else, make sure any password you used to initially access this forum HAS been changed and that you are NOT using that initial password on any of your OTHER sites ... particularly where you hold sensitive or 'private' information (a misnomer in itself).
AutomationMan
 
Posts: 2
Joined: Thu Oct 23, 2014 1:58 am

Re: A CAUTION re forum-signup / web security

Postby Admin » Wed Nov 05, 2014 4:57 am

Hi, sorry for the late reply. Yes, I agree with everything you said. In general, use "secondary passwords" for basic PHPBB forums such as BRU that you do not visit that often or that do not contain sensitive information anyway. Do not use your "main" password. The only reason why we require users to register on our forum is because otherwise we would be inundated with SPAM posts. thanks!
Admin
Site Admin
 
Posts: 2341
Joined: Tue Mar 08, 2005 8:39 pm


Return to General Comments