Signup form doesn't mask passwords

Discussion in 'VPN' started by SierraAR, Jul 1, 2012.

  1. SierraAR

    SierraAR Community Advocate Community Support

    Messages:
    827
    Likes Received:
    17
    Trophy Points:
    18
    http://sierrabrown.me/ss/phggq97.jpg

    The signup form on the front page of x10vps.com doesn't mask the password fields with asterisks (***). This is a bit of a security issue for public areas or people with nosey 'friends'.
     
  2. GtoXic

    GtoXic x10 Support

    Messages:
    636
    Likes Received:
    17
    Trophy Points:
    0
    Yeah, I can confirm this, tested in FF, Chrome and IE.
     
  3. bdistler

    bdistler Well-Known Member Prime Account

    Messages:
    3,534
    Likes Received:
    196
    Trophy Points:
    63
    just received my password by Email as "plaintext" - not nice

    I confirm the signup form shows the password as "plaintext" - not nice

    I assume from the above my password is stored unencrypted (same as "plaintext") by x10hosting
     
  4. leafypiggy

    leafypiggy Manager of Pens and Office Supplies Staff Member

    Messages:
    3,819
    Likes Received:
    163
    Trophy Points:
    63
    Without looking at the code, I couldn't say for sure, but I'm willing to bet your password is hashed in our database. Just because you receive an email with your password doesn't mean the password's being stored in cleartext (Correct wording, it's not plaintext). It's as simple as setting a separate variable with the stored password for email, or simple sending the email before hashing. As for the confirmation page - it's probably in the get params (or it's a cookie)
     
  5. essellar

    essellar Community Advocate Community Support

    Messages:
    3,295
    Likes Received:
    227
    Trophy Points:
    63
    Password masking should only ever be an option (or at the very least, there should be an option to render clear text). Y'all folks ought to keep up on security best practices—the object of the game is to encourage passwords with high entropy (longer is better, regardless of the complexity of the character pattern) and that results in greater opportunities for typos. Password masking tends to encourage simpler/shorter passwords.

    Emailing clear text passwords is generally a bad idea no matter how the password is actually stored in the login system (and one would hope that it's at least stored as a salted hash with a high work factor; preferable is both salt and pepper)—email systems are rarely as secure as one would like, and an email program (or a webmail page) is one of those things that's likely to be left open for an extended period of time.
     
  6. Bryon

    Bryon I Fix Things

    Messages:
    8,149
    Likes Received:
    101
    Trophy Points:
    48
    You know what they say about assumptions..
     
    Last edited: Jul 15, 2012
  7. Corey

    Corey I Break Things Staff Member

    Messages:
    34,552
    Likes Received:
    183
    Trophy Points:
    63
    Just to clarify on somethings...

    I've never agreed with the masking password field thing on registration, it doesn't change the way it is stored\submitted on the server... only causes inconvenience for the user. Apparently it's to prevent shoulder peeping? As it is a simple change I'll go ahead and enable it.

    With that said, I understand the email issue... personally I change my passwords anytime I get it via email whether it's reset\registration, etc. But I understand not everyone does what I do, so I'll fix that so passwords are no longer emailed and if someone 'forgets' the email clearly tells them to login and change it immediately. If I have time I'll force a password change upon login from a reset.

    Passwords are encrypted in all of our systems, it was very difficult to do encryption with the VPN setup due to radius but it is done. Overall I think the way we handle things in general between all the systems\sites we have is very secure compared to the industry norm.
     

Share This Page