• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Guess what? AT sends your forum password in the clear!

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Most sites you use are as insecure as this one.

Welcome to security concerns on the internet 101, circa 1992.
 
btw, i hope u guys know some passwords you use to register are stored unencrypted too. Admins with access to the db can just read your passwords right there... and perhaps attempt to use it at your associated email provider login or whatever else. Don't assume it's encrypted jibberish in there.
 
The attitude toward security displayed in this thread is exactly why there are so many successful worms (well, that and gaping holes in Windows) and e-mail viruses. The "there's nothing important to me that they could get with that information." That may be true, but what about others? For those of you that don't know, DDOS attacks are usually launched from zombies whose owners don't even know they've been compromised. More importantly, they don't even care.

Look, my point is NOT that we are all significantly more-vulnerable to "scary cyber attacks." My point is that, as Pepsi90919 pointed out, this is a hardware review site. The operators of this site should be working to combat the problem, not ignore it. The LEAST they can do is warn new users. If you can provide security, why not do so? Because you're too lazy/cheap? I'm sorry, but that's not a good reason.
 
No, many of us posting understand your point perfectly, and some of us have coded clients for or even designed secure authentication systems. We just don't care about the security of this particular website.
 
Who cares? It's a forum, accounts are free, and having someone else's account wouldn't get you anything special except a vacation.
 
Originally posted by: rh71
btw, i hope u guys know some passwords you use to register are stored unencrypted too. Admins with access to the db can just read your passwords right there... and perhaps attempt to use it at your associated email provider login or whatever else. Don't assume it's encrypted jibberish in there.
Click to expand...

Ding ding ding! T3h winner!
 
Originally posted by: EpsiIon
The attitude toward security displayed in this thread is exactly why there are so many successful worms (well, that and gaping holes in Windows) and e-mail viruses.
Click to expand...

no, that's actually a consequence of using a microsoft based operating system.
 
Originally posted by: tami
Originally posted by: EpsiIon
The attitude toward security displayed in this thread is exactly why there are so many successful worms (well, that and gaping holes in Windows) and e-mail viruses.
Click to expand...

no, that's actually a consequence of using a microsoft based operating system.
Click to expand...

I use a microsoft OS, always have, and have yet to get a single virus on any personal machine.
 
Originally posted by: malak
Originally posted by: tami
Originally posted by: EpsiIon
The attitude toward security displayed in this thread is exactly why there are so many successful worms (well, that and gaping holes in Windows) and e-mail viruses.
Click to expand...

no, that's actually a consequence of using a microsoft based operating system.
Click to expand...

I use a microsoft OS, always have, and have yet to get a single virus on any personal machine.
Click to expand...

same here

all my "geeky" friends are all like, "Linux rox0rz your sox0rz, no viruses or spywarez!"

i just tell them that if they get viruses or spyware, that they are just too stupid to own a computer
 
Originally posted by: DaveSimmons
No, many of us posting understand your point perfectly, and some of us have coded clients for or even designed secure authentication systems. We just don't care about the security of this particular website.
Click to expand...

I know this, Dave. Some posting in this thread are much more qualified to discuss computer security than I am. Some just don't care. The unqualified ones who don't care are part of the problem, not you. Their apathy is not rooted in a knowledge of the issue, but in the simple belief "nothing bad will happen to me."

The fact that I entered a debate about the merits of encrypting forum passwords is slightly embarrassing, but not extremely so. Personally, I would prefer that logins were encrypted (for the sake of people like my mother and father, who really have no clue). That's not my call and I use their free service, so I can't really complain. But I don't think it's an inappropriate issue to raise.

For most cases the whole issue is irrelevant, but (beyond the principle of the matter) it would be nice if we could at least warn those who don't know...
 
Originally posted by: EpsiIon
The unqualified ones who don't care are part of the problem, not you. Their apathy is not rooted in a knowledge of the issue, but in the simple belief "nothing bad will happen to me."

The fact that I entered a debate about the merits of encrypting forum passwords is slightly embarrassing, but not extremely so. Personally, I would prefer that logins were encrypted (for the sake of people like my mother and father, who really have no clue). That's not my call and I use their free service, so I can't really complain. But I don't think it's an inappropriate issue to raise.
Click to expand...
All valid points, there is some truth in that AOL commercial with the people who don't know or care about protecting themselves.

It's just that you presented the weak security of these specific forums as being shocking and dangerous, when the odds of it being exploited are low and the consequences of a breach are not very alarming 🙂
 
Originally posted by: rh71
btw, i hope u guys know some passwords you use to register are stored unencrypted too. Admins with access to the db can just read your passwords right there... and perhaps attempt to use it at your associated email provider login or whatever else. Don't assume it's encrypted jibberish in there.
Click to expand...

so true.
 
I only use my anandtech password for not-so-important stuff. I use a harder password for my email accounts, and a MUCH harder password for my admin accounts, university accounts, etc.
 
I thought AT Forums sent you a password when you register? I don't know I guess I never bothered to change it after that so it's a one and only type of dealy.
 
Originally posted by: DaveSimmons
Originally posted by: EpsiIon
The unqualified ones who don't care are part of the problem, not you. Their apathy is not rooted in a knowledge of the issue, but in the simple belief "nothing bad will happen to me."

The fact that I entered a debate about the merits of encrypting forum passwords is slightly embarrassing, but not extremely so. Personally, I would prefer that logins were encrypted (for the sake of people like my mother and father, who really have no clue). That's not my call and I use their free service, so I can't really complain. But I don't think it's an inappropriate issue to raise.
Click to expand...
All valid points, there is some truth in that AOL commercial with the people who don't know or care about protecting themselves.

It's just that you presented the weak security of these specific forums as being shocking and dangerous, when the odds of it being exploited are low and the consequences of a breach are not very alarming 🙂
Click to expand...

Yeah, I did sort of blow the whole thing out of proportion in my OP; I probably shouldn't have been so sarcastic. Sorry about that.
 
Originally posted by: EpsiIon
The problem: We have this username and password system that is used to authenticate people, and it's basically a farce. If you aren't going to hide your password, what's the point of having one? People do screwed up things; I'd be frustrated if somebody stole my password and made a few dozen posts as me before getting my account banned...
Click to expand...
I dunno, it's kind of like self-serve newspaper vending machines. You drop in your quarters, you take a paper. Yeah, if you really wanted to, you could empty the whole thing, and perhaps even resell them. Yeah, someone could potentially steal your AT login password. But how much damage could they really do with that?
Not all of us live with needing quadruple dead-bolt locks on all of our doors, and metal mesh screens and kryptonite locks on our lower-floor windows. I mean, I realize that ATOT posts are very important and all, but keep things in perspective. Security is a process, and part of that is trading off your real needs for security, against the inconvenciences that you put up with to secure them, since they are almost always at the opposite ends of the spectrum.

Originally posted by: EpsiIon
Besides, what about users who don't have a basic understanding of computer security? They might use the same password for EVERYTHING (stupid, yes, but it happens) and wouldn't even know that their forum password is far less secure than, say, their online banking password. The least AT could do is put up a giant warning when you create an account...

Honestly, it all seems pointless to me.
Click to expand...
Fixed.
 
Originally posted by: hevnsnt
You want to know what is CRAZY? FTP/Email/Telnet All send your username/pass in the clear.
Pretty soon you can hack the internet now that you know this little secret.
Click to expand...
OMGWTFBBQHACKTHEPLANET! Quick, pass the PATRIOT ACT 3: FINAL FREEDOM CHAPTER, we will all soon be "0w3nd by 0s3m3" now that the secret is out!!!

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top