homeGeek CultureWebstoreeCards!Forums!Joy of Tech!AY2K!webcam

The Geek Culture Forums


Post New Topic  New Poll  Post A Reply
my profile | directory login | | search | faq | forum home
  next oldest topic   next newest topic
» The Geek Culture Forums   » Other Geeky Stuff   » Suggestion Box!   » GeekCulture password UI defects

 - UBBFriend: Email this page to someone!    
Author Topic: GeekCulture password UI defects
Frank Nospam
Single Celled Newbie
Member # 12114

Rate Member
Icon 8 posted October 31, 2007 09:30      Profile for Frank Nospam   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
First off, there is only one password box in "Edit my Profile", rather than the much safer triplet of old + new + confirm. Second, the edit password box has max length 13 (with no overflow warning), whereas the actual password box used at login does not set a max length. If the potential failure states of such a combination are not obvious to you, please tear up your geek card right away.

p.s. I did not bother to test the effects of exceeding maxlength (via manual javascript or a forged POST) in a new password submission. You also do bounds-checking server-side, right?

Posts: 4 | From: Balto | Registered: Oct 2007  |  IP: Logged
Ashitaka

SuperFan!
Member # 4924

Member Rated:
4
Icon 1 posted October 31, 2007 09:54      Profile for Ashitaka     Send New Private Message       Edit/Delete Post   Reply With Quote 
its not as if someone could steall someones identity if they got into someone elses account.

--------------------
"If they're not gonna make a distinction between Muslims and violent extremists, then why should I take the time to distinguish between decent, fearful white people and racists?"

-Assif Mandvi

Posts: 3089 | From: Switzerland | Registered: Feb 2006  |  IP: Logged
spungo
BlabberMouth, a Blabber Odyssey
Member # 1089

Member Rated:
4
Icon 1 posted October 31, 2007 09:59      Profile for spungo     Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by Frank Nospam:
First off, there is only one password box in "Edit my Profile", rather than the much safer triplet of old + new + confirm. Second, the edit password box has max length 13 (with no overflow warning), whereas the actual password box used at login does not set a max length. If the potential failure states of such a combination are not obvious to you, please tear up your geek card right away.

p.s. I did not bother to test the effects of exceeding maxlength (via manual javascript or a forged POST) in a new password submission. You also do bounds-checking server-side, right?

OMG! [Eek!] I'm shocked, I tell you -- shocked! It isn't safe to walk the streets anymore -- and as if that ain't enough, I have to worry about having my forum posts stolen! Goddammit Snaggy -- how do you sleep at night? How could you do this to us? We __TRUSTED__ you! Does that mean absolutely nothing to you? No wonder the Western economies are in a mess -- no wonder our foreign policy is confused -- if you're representative of how the West approaches security! I hope you're pleased with this -- it's people like you that will lead to the demise of freedom and democracy! Oh, the humanity...

--------------------
Shameless plug. (Please forgive me.)

Posts: 6529 | From: Noba Scoba | Registered: Jan 2002  |  IP: Logged
Frank Nospam
Single Celled Newbie
Member # 12114

Rate Member
Icon 1 posted October 31, 2007 10:06      Profile for Frank Nospam   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
Sorry, but I was annoyed that the very first thing I experienced on this site was that it silently screwed up my password.

IMO, fellow Macophiles like our esteemed hosts certainly shouldn't accept poor UI behavior on their own site.

Posts: 4 | From: Balto | Registered: Oct 2007  |  IP: Logged
Snaggy

Sir Snaggalot!
Member # 123

Member Rated:
5
Icon 3 posted October 31, 2007 10:11      Profile for Snaggy   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
ha ha spungo... now you know why I *don't* sleep at night. [Razz]

This Forum is an old rust-bucket, held together by duct tape and string, but I love her dearly. So far I haven't found another worth upgrading to, but I'm sure that will happen one day.

In the meantime, party and post like it's 1999! [Smile]

Posts: 8111 | From: Canada | Registered: Jan 2000  |  IP: Logged
dragonman97

SuperFan!
Member # 780

Member Rated:
4
Icon 1 posted October 31, 2007 13:22      Profile for dragonman97   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
...and phpBB is pretty much less secure than IE. [Wink]

A friendly word of advice - using any password of consequence for GC is just foolish. [Razz] Besides all the rantings of "Frank Nospam," the far more pressing concern would be the fact that it's all sent in the clear, via HTTP. This is just a classic case of missing the forest for the trees.

By the same token, if you want to be paranoid, you should absolutely *not* post from open WiFi (esp. incl. coffee shops), as the cookies from an already logged in account could be used in a session hijack. Then, your password could be nabbed out of the profile update screen. (Hint: Use the source, Luke! [Or just use Web Developer Toolbar to unmask the field.]) Of course, this is why I posted last night in a tea house on WiFi...using SSH tunneling with a SOCK5 proxy.

Don't get me started about the security theater on many other sites, though!

--------------------
There are three things you can be sure of in life: Death, taxes, and reading about fake illnesses online...

Posts: 9332 | From: Westchester County, New York | Registered: May 2001  |  IP: Logged
fs

Solid Nitrozanium SuperFan!
Member # 1181

Icon 1 posted November 01, 2007 04:16      Profile for fs   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
I like SMF. I don't think it's any more secure than any other forum system though.

--------------------
I'm in ur database, makin' moar recordz.

Posts: 1973 | From: The Cat Ship | Registered: Mar 2002  |  IP: Logged
Frank Nospam
Single Celled Newbie
Member # 12114

Rate Member
Icon 9 posted November 01, 2007 07:28      Profile for Frank Nospam   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
FWIW, I wasn't ranting about security. I was ranting about error prevention (typo & length).

I changed my password to something longer than 13 chars, but did not receive an indication that it was truncated. Then when I re-logined, I was allowed to type more than 13 chars, and did not get in.

The simplest solution would be to add a matching maxlength="13" to the actual login form.

Posts: 4 | From: Balto | Registered: Oct 2007  |  IP: Logged
GrumpySteen

Solid Nitrozanium SuperFan
Member # 170

Icon 1 posted November 01, 2007 14:04      Profile for GrumpySteen     Send New Private Message       Edit/Delete Post   Reply With Quote 
Totally not clear from the original post, but I'll bet Snaggy could put text next to the password boxes on the signup and profile pages that indicates that the password will be truncated at thirteen characters. It still wouldn't check length (which would require more screwing with the PHP), but at least you'd be informed.

--------------------
Worst. Celibate. Ever.

Posts: 6364 | From: Tennessee | Registered: Jan 2000  |  IP: Logged
stevenback7
SuperBlabberMouth!
Member # 5114

Member Rated:
4
Icon 1 posted November 01, 2007 18:37      Profile for stevenback7   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
Frank Nospam: Welcome to the forums.

Yes, there are ways to make the forums safer - a lot more ways than the one's you listed. But this forum has been up and running for a long time and at least since I joined their has been no problems with the forum itself.

My advice: You just joined a "Geek" forum where we love our dictator very much for creating this awesome community. Please don't start criticizing it. I would recommend you start by introducing yourself.

--------------------
Comic Book Guy: There is no emoticon for what i'm feeling.

Posts: 1199 | From: Canada eh? | Registered: May 2006  |  IP: Logged
maximile

SuperFan!
Member # 3446

Member Rated:
5
Icon 1 posted November 01, 2007 19:23      Profile for maximile   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
Hey Frank,

I like your pigeon whackery page. It took me a little white to work out what it was for, but I lol'd a bit when I did.

Welcome to the forums.

Posts: 1085 | From: London, UK (Powys, UK in hols) | Registered: Feb 2005  |  IP: Logged
Snaggy

Sir Snaggalot!
Member # 123

Member Rated:
5
Icon 3 posted November 02, 2007 12:28      Profile for Snaggy   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
Great idea Steen, I've now added a "max 13 characters" tag to the password tag.

Frank, I'll see about adding a matching maxlength="13" to the login form. If the Forum breaks, it's your fault. [Razz]

[Smile]

Posts: 8111 | From: Canada | Registered: Jan 2000  |  IP: Logged
password
Geek
Member # 12442

Member Rated:
1
Icon 1 posted November 18, 2007 17:59      Profile for password   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
this forum is ridiculously full of security holes. but most are. if i felt like it (for some money) i could probably audit the site security.

--------------------
no my password is not username

Posts: 108 | Registered: Nov 2007  |  IP: Logged
GrumpySteen

Solid Nitrozanium SuperFan
Member # 170

Icon 10 posted November 18, 2007 20:27      Profile for GrumpySteen     Send New Private Message       Edit/Delete Post   Reply With Quote 
OMG 1337 haxxors are gunna steal mah bucket an post stuff in my name. Nobody will believe it wasn't me! I'll just die if someone thinks I posted a link to a porn site with nekkid girls!

Doom! Terror! Moisture!

--------------------
Worst. Celibate. Ever.

Posts: 6364 | From: Tennessee | Registered: Jan 2000  |  IP: Logged
Xanthine

Solid Nitrozanium SuperFan!
Member # 736

Member Rated:
5
Icon 1 posted November 18, 2007 21:06      Profile for Xanthine     Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by Steen:
I'll just die if someone thinks I posted a link to a porn site with nekkid girls!

You know, that might be an improvement on your usual. [Wink] [Razz]

Please do not take that as a challenge. Seriously. Don't. Please.

/me grovels

--------------------
And it's one, two, three / On the wrong side of the lee / What were you meant for? / What were you meant for?
- The Decemberists

Posts: 7670 | From: the lab | Registered: Mar 2001  |  IP: Logged
GrumpySteen

Solid Nitrozanium SuperFan
Member # 170

Icon 1 posted November 18, 2007 21:17      Profile for GrumpySteen     Send New Private Message       Edit/Delete Post   Reply With Quote 
Sorry Xanthine... couldn't resist [Smile]

http://tinyurl.com/2pqy87

There's a nekkid girl having sex with a boy on the other end of that link. You've been warned.

...but it's also safe for work... so you've been confused as well (at least until you get brave enough to click the link)

--------------------
Worst. Celibate. Ever.

Posts: 6364 | From: Tennessee | Registered: Jan 2000  |  IP: Logged
Xanthine

Solid Nitrozanium SuperFan!
Member # 736

Member Rated:
5
Icon 1 posted November 18, 2007 21:38      Profile for Xanthine     Send New Private Message       Edit/Delete Post   Reply With Quote 
*snork*

--------------------
And it's one, two, three / On the wrong side of the lee / What were you meant for? / What were you meant for?
- The Decemberists

Posts: 7670 | From: the lab | Registered: Mar 2001  |  IP: Logged
dragonman97

SuperFan!
Member # 780

Member Rated:
4
Icon 1 posted November 19, 2007 07:51      Profile for dragonman97   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
Apropos of nothing: I consider some of the 'original' subject matter of the thread to be tripe (not at all directed at Steen [seriously!]), but I would just like to give a friendly reminder to folks about password security in general:
http://www.pbs.org/cringely/pulpit/2007/pulpit_20071116_003446.html

One nice, succinct quote from the above:
quote:
CHANGE YOUR DAMNED PASSWORDS!!


--------------------
There are three things you can be sure of in life: Death, taxes, and reading about fake illnesses online...

Posts: 9332 | From: Westchester County, New York | Registered: May 2001  |  IP: Logged
GrumpySteen

Solid Nitrozanium SuperFan
Member # 170

Icon 1 posted November 19, 2007 11:41      Profile for GrumpySteen     Send New Private Message       Edit/Delete Post   Reply With Quote 
Actually, I'm going to have to say that Cringley is dead wrong.

In the scenario he's described, changing your password doesn't do you any good because you're -still- using the same password for multiple things and they're all open to anyone who steals that one password.

So... go ahead and use the same password until the end of time without ever changing it. NEVER use exactly the same password on two separate sites, however, no matter how tempting it is. That way, if one password is compromised, everything else isn't automatically open.

If nothing else, add the first three or five letters of the site's domain name or something else related to the site to your standard password so that it's different for every domain.

--------------------
Worst. Celibate. Ever.

Posts: 6364 | From: Tennessee | Registered: Jan 2000  |  IP: Logged
quantumfluff
BlabberMouth, a Blabber Odyssey
Member # 450

Member Rated:
5
Icon 1 posted November 19, 2007 18:09      Profile for quantumfluff     Send New Private Message       Edit/Delete Post   Reply With Quote 
Second that. Cringley is rarely a source of any new or useful knowledge.

It's far better to have different passwords for every account and to only connect from a few trusted machines. For example, my banking password is ONLY used with my bank and from a secure machine at home. My gmail password is different. If I MUST get to my gmail account from someone else's machine, I change the password for gmail only as soon as I get home.

I actually take it a step further and give different email addresses to every web service I use, but that's beyond the scope of the course for most people.

Posts: 2902 | From: 5 to 15 meters above sea level | Registered: Jun 2000  |  IP: Logged
dragonman97

SuperFan!
Member # 780

Member Rated:
4
Icon 1 posted November 19, 2007 19:31      Profile for dragonman97   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
Maybe I read a totally different article, but I didn't see 'change your password(!) to something else.' I saw "CHANGE YOUR DAMNED PASSWORDS!!" (plural) and many references to the bad practices of users using the same password everywhere. Perhaps it didn't have 48pt. font that said "Hey dumbasses, make sure you take heed of my criticism and pick /different/ passwords for the variety of sites you surf" but I thought that was the logical conclusion.

It's true that a well picked password for each site doesn't require a frequent change, but he wasn't trying to preach to the converted, rather to highlight the problem that exists. I have significantly different passwords for different sites, and keep good track of it all, and I'll be damned if I'm going to change them routinely. That would probably require me to need to consult a guide every time I entered a password, which would be worse security. (Mind you, I do have a secure form of documentation, lest the proverbial bus pays a visit.)

--------------------
There are three things you can be sure of in life: Death, taxes, and reading about fake illnesses online...

Posts: 9332 | From: Westchester County, New York | Registered: May 2001  |  IP: Logged


All times are Eastern Time  
Post New Topic  New Poll  Post A Reply Close Topic    Move Topic    Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:

Contact Us | Geek Culture Home Page

2015 Geek Culture

Powered by Infopop Corporation
UBB.classicTM 6.4.0



homeGeek CultureWebstoreeCards!Forums!Joy of Tech!AY2K!webcam