Forum insecure login

[barmar]

I was having a discussion about secure vs. insecure login forms in another forum, and decided to check the BBO Forum's login page. It doesn't use HTTPS to send the username and password. That's bad.

[inquiry]

If you are concerned about this... when you get the login page at:

http://www.bridgebase.com/forums/index.php?app=core&module=global&section=login

 

change it to

https://www.bridgebase.com/forums/index.php?app=core&module=global&section=login

 

And when asked, click only show material sent securely. The fancy format stuff goes away, but the login options are there.

 

If you use Hotmail or gmail on public (non-encrypted) wifi, you can do that too... type for instance https://www.hotmail.com etc instead of the normal http

[Gerardo]

HTTPS now forced at login time.

[Rain]

Gerardo has made a change to https, but thinks it applies to logins only. Thank you for bringing this up.

[mgoetze]

This is a very small issue compared to the fact that BBO still stores all passwords in plaintext on its server! Make sure you never ever use your BBO password for anything else!

[mohitz]

This is a very small issue compared to the fact that BBO still stores all passwords in plaintext on its server! Make sure you never ever use your BBO password for anything else!

 

And how do you know that?

[mgoetze]

And how do you know that?

 

Because I can log in with different capitalisations of my pASswoRd.

[fred]

Because I can log in with different capitalisations of my pASswoRd.

Your conclusion does not follow from this premise.

 

Fred Gitelman

Bridge Base Inc.

www.bridgebase.com

[cherdano]

Is "OK, not directly." a new way of saying "OK, I was completely wrong."?

[mgoetze]

Your conclusion does not follow from this premise.

 

OK, not directly. You might be upper- or lowercasing everything before running it through a hash function. But it would definitely feel a lot more secure if passwords were case-sensitive!

[georgeac]

lol

[Antraxxx]

This is actually a rather curious treatment, though. Regardless of how passwords are stored, case insensitivity is considerably easier to brute force. Are people really having that much difficulty remembering their original capitalisation?

[Rain]

I haven't discussed this much with the owners, but my personal opinion:

 

Yes people are indeed having difficulty remembering capitalization. This is a Bridge club, not WOW. Many more members are older than average, less computer savvy than average. Being able to help some less computer savvy people discover BBO and get online is an accomplishment in itself. Because of this, I'm pretty sure the password thing is deliberate.

 

I don't know if it's true, but I've always suspected Fred wrote BBO for his mom. Ask him!

[Antraxxx]

I thought I did. No offense intended to whomever made the (obviously deliberate) choice, but was this thought out? People who are less computer savvy are more likely to choose a weak password, and accepting all capitalization would render such a password even weaker.

[mtvesuvius]

Who would want to hack a Bridge Forum? lol

[Antraxxx]

I'm going to assume that was an honest question. Generally, everything on the internet, no matter how seemingly irrelevant, is tempting to attack. The attackers can be wannabe hackers in training - they often randomly choose forums (sometimes based on searching google for keywords and choosing randomly from the results) and try to deface them to "get their name out there", in a way. Sometimes they're politically motivated and are trying to get their message across no matter where, but this forum is likely not very good for that.

Another type of attacker that doesn't care about the target is people distributing malware. The odds of someone clicking a malicious link in a private message is considerably higher if it comes from a friend, rather than a newly registered member.

A third type is the standard "people hoping the password to your forum account is also the password to your email". If I can break down exhaustively searching someone's password to two phases, first of all guessing the letters in the right order then guessing the capitalization, I need significantly less computing power - it's like playing mastermind :)

[Phil]

Who would want to hack a Bridge Forum? lol

 

I loathe the day that someone posts on BBF using the username P-H-I-I or P-C-I-A-Y-T-O-N. Not that anyone would even do that on the main site. Well, not recently anyway :angry: :P

[mtvesuvius]

pciayton and phii is already taken :(

[Phil]

pciayton and phii is already taken :(

 

I won't bother to check if M-T-V-E-S-U-V-L-U-S is.

[mtvesuvius]

:)