CF Passwords Hacked?

[LongRange]

Quote:

Originally Posted by benvanstaveren

Also it's perfectly safe to enter your email or password on HaveIBeenPwned - the site is ran by a rather famous security researcher as a free service to the internet community at large, and will only tell you if your email address has been found in data leaked through hacks of various sites.

It wouldn't matter if the site was jointly run by Mahatma Gandhi, Martin Luther King, and Che Guevara - providing your password so that a third-party can tell you whether you're supposedly secure is technically called Just Asking For It

Almost like a mass social experiment, "let's see how many people will simply type their passwords because they were asked to do it."

If in doubt, change the password, don't ask anyone whether they think it should be changed.

CF should invest in a SSL cert. I'll put my money where my mouth is and pay for my membership. This is an invaluable resource for me.

[Mirage35]

For goodness sakes folks, check before responding. HaveIBeenPwned doesn't ask for your password.

[Mirage35]

Quote:

Originally Posted by AnglaisInHull

For goodness sakes folks, check before responding. HaveIBeenPwned doesn't ask for your password.

And finish the thought before you start typing. It doesn't NECESSARILY ask for passwords - you can check email address or username without it.

[Tillsbury]

Quote:

Originally Posted by Lake-Effect

If a site's login page is not https, the password still travels in the clear, even if you have a pw manager.

Only with a truly terrible website. The password should be hashed on your computer and compared with the hashed version stored on the server. No-one should be transmitting or storing unencrypted passwords anywhere ever.

[kev_rm]

Quote:

Originally Posted by Lake-Effect

If a site's login page is not https, the password still travels in the clear, even if you have a pw manager.

I think you missed the point of a password manager. No sites share the same password for you. Limits damage to only, in this case, someone posting to CF using my account.

[Delfin]

Cruisersforum has not been hacked, at least according to haveibeenpawned, so if your old password shows up as being compromised, it would have been from some other site. That said, it is genuinely brainless irresponsible for CF not to use https.

[LongRange]

Looking a bit more closely, CF does use SSL (TLS 1.3 actually), but there are some images hanging off HTTP links, which makes browsers baulk at the mixed content.

The fix is to get rid of the HTTP links, and go all-HTTPS.

[Lake-Effect]

Quote:

Originally Posted by LongRange

Looking a bit more closely, CF does use SSL (TLS 1.3 actually)

My bad - the CF login page is https.

[Janet H]

If you are getting e-mail sent to you with your password noted in them AND you did not request password info from us, CHANGE YOUR PASSWORD NOW.

It's likely that you either clicked on some scummy ad that looked like a login page and entered your info or that your password has been collected from another site. Over the years a number of internet forums have been hacked and passwords breached. CF was not one of them but many folks use the same password over and over.

The login pages here are secure (httpS) but as noted, the rest of the site is not. We store no financial info or other sensitive content here and we long ago changed login pages (where password data is encrypted and passed) to meet current security standards.

Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.

We hand coded an update to make the LOGIN page https. This is the page where user credentials are passed and the only sensitive data we store. Once a member has logged in the site reverts to http (and the alert begins to display in browsers). Using https on all pages actually breaks some things the forum. Offsite links and hosted images may no longer work, ads don't display, photos, etc.

So... as you login the page is secure (https) but once you have logged in the regular site is http. Since no login/pass info is being sent on these pages we believe this is safe and reasonable. We will eventually switch to full SSL but as noted by other posters there are some concerns to weigh as we make that choice.

You can read more about the google alerts here: https://www.wired.com/story/google-c...-secure-label/

[Delfin]

Quote:

Originally Posted by Lake-Effect

My bad - the CF login page is https.

My bad as well....

[IslandHopper]

Quote:

Originally Posted by Janet H

Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.

Funny that, i do see the red triangle but only when posting, normal browsing through CF it's just the circled 'i' with not secure....

Posting....


Browsing....

[chowdan]

Man I wish I thought of that site...talk about an amazing way to generate a very valid password dictionary

[benvanstaveren]

Quote:

Originally Posted by LongRange

It wouldn't matter if the site was jointly run by Mahatma Gandhi, Martin Luther King, and Che Guevara - providing your password so that a third-party can tell you whether you're supposedly secure is technically called Just Asking For It

It actually doesn't ask for it in combination with anything else, so it's fairly useless from that standpoint of "just asking for it" - it's in fact a rather valuable tool to see if a password you are using has been found "in the wild" - because if it has, chances are good you will get your **** hacked sooner or later due to credential stuffing attacks.



Agree on the SSL cert though; these days you can get them for free from LetsEncrypt - good for 90 days, unlimited renewals.

[benvanstaveren]

Quote:

Originally Posted by chowdan

Man I wish I thought of that site...talk about an amazing way to generate a very valid password dictionary

You'd still need a dictionary beforehand since it doesn't actually give you a list of passwords. Even using their API you don't get to see any passwords, just anonymized SHA1 hashes. Check the technical details on it, it's quite interesting.



And of course, if you hammer their API to see if your dictionary list is any good, they'll block you faster than you can see it coming

[chowdan]

Quote:

Originally Posted by benvanstaveren

You'd still need a dictionary beforehand since it doesn't actually give you a list of passwords. Even using their API you don't get to see any passwords, just anonymized SHA1 hashes. Check the technical details on it, it's quite interesting.



And of course, if you hammer their API to see if your dictionary list is any good, they'll block you faster than you can see it coming

That's not what I meant.

Their service has a db store of all hacked passwords right? As a user, you enter your questionable password and they validate against the db checking to see if its stored.

If stored return "password found", else return "password not found".

What I was saying was that you could easily build a very valid dictionary by building the website. Sure you could have hacked passwords to validate against, but youd gain metrics on something like how popular a password is, or redirects to your site, email addresses(selling lists for example)... all sorts of goodies that could be used for malicious purposes.

I'm not saying that this site is doing that, but they have the ability to do some very malicious things.