|
|
25-08-2019, 08:55
|
#16
|
Registered User
Join Date: Feb 2017
Location: Med
Boat: Dufour 455 GL
Posts: 218
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by benvanstaveren
Also it's perfectly safe to enter your email or password on HaveIBeenPwned - the site is ran by a rather famous security researcher as a free service to the internet community at large, and will only tell you if your email address has been found in data leaked through hacks of various sites.
|
It wouldn't matter if the site was jointly run by Mahatma Gandhi, Martin Luther King, and Che Guevara - providing your password so that a third-party can tell you whether you're supposedly secure is technically called Just Asking For It
Almost like a mass social experiment, "let's see how many people will simply type their passwords because they were asked to do it."
If in doubt, change the password, don't ask anyone whether they think it should be changed.
CF should invest in a SSL cert. I'll put my money where my mouth is and pay for my membership. This is an invaluable resource for me.
|
|
|
25-08-2019, 14:26
|
#17
|
Registered User
Join Date: May 2015
Location: Sailing Lake Ontario
Boat: Mirage 35
Posts: 1,162
|
Re: CF Passwords Hacked?
For goodness sakes folks, check before responding. HaveIBeenPwned doesn't ask for your password.
__________________
Beam me up, Scotty. There's no intelligent life down here.
|
|
|
25-08-2019, 14:28
|
#18
|
Registered User
Join Date: May 2015
Location: Sailing Lake Ontario
Boat: Mirage 35
Posts: 1,162
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by AnglaisInHull
For goodness sakes folks, check before responding. HaveIBeenPwned doesn't ask for your password.
|
And finish the thought before you start typing. It doesn't NECESSARILY ask for passwords - you can check email address or username without it.
__________________
Beam me up, Scotty. There's no intelligent life down here.
|
|
|
25-08-2019, 14:29
|
#19
|
Registered User
Join Date: Mar 2018
Location: New Zealand
Boat: 50’ Bavaria
Posts: 1,816
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by Lake-Effect
If a site's login page is not https, the password still travels in the clear, even if you have a pw manager.
|
Only with a truly terrible website. The password should be hashed on your computer and compared with the hashed version stored on the server. No-one should be transmitting or storing unencrypted passwords anywhere ever.
|
|
|
25-08-2019, 16:44
|
#20
|
Registered User
Join Date: Feb 2017
Location: Sea of Cortez
Boat: Passport 41
Posts: 213
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by Lake-Effect
If a site's login page is not https, the password still travels in the clear, even if you have a pw manager.
|
I think you missed the point of a password manager. No sites share the same password for you. Limits damage to only, in this case, someone posting to CF using my account.
|
|
|
25-08-2019, 18:39
|
#21
|
Registered User
Join Date: Aug 2010
Location: Anacortes, WA
Boat: 55' Romsdal
Posts: 2,103
|
Re: CF Passwords Hacked?
Cruisersforum has not been hacked, at least according to haveibeenpawned, so if your old password shows up as being compromised, it would have been from some other site. That said, it is genuinely brainless irresponsible for CF not to use https.
|
|
|
26-08-2019, 01:46
|
#22
|
Registered User
Join Date: Feb 2017
Location: Med
Boat: Dufour 455 GL
Posts: 218
|
Re: CF Passwords Hacked?
Looking a bit more closely, CF does use SSL (TLS 1.3 actually), but there are some images hanging off HTTP links, which makes browsers baulk at the mixed content.
The fix is to get rid of the HTTP links, and go all-HTTPS.
|
|
|
26-08-2019, 07:01
|
#23
|
Registered User
Join Date: May 2011
Location: Lake Ont
Posts: 8,581
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by LongRange
Looking a bit more closely, CF does use SSL (TLS 1.3 actually)
|
My bad - the CF login page is https.
|
|
|
26-08-2019, 14:18
|
#24
|
Moderator
Join Date: Jan 2007
Location: Pacific NW, USA
Boat: Cape Dory 27
Posts: 8,797
|
Re: CF Passwords Hacked?
If you are getting e-mail sent to you with your password noted in them AND you did not request password info from us, CHANGE YOUR PASSWORD NOW.
It's likely that you either clicked on some scummy ad that looked like a login page and entered your info or that your password has been collected from another site. Over the years a number of internet forums have been hacked and passwords breached. CF was not one of them but many folks use the same password over and over.
The login pages here are secure (httpS) but as noted, the rest of the site is not. We store no financial info or other sensitive content here and we long ago changed login pages (where password data is encrypted and passed) to meet current security standards.
Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.
We hand coded an update to make the LOGIN page https. This is the page where user credentials are passed and the only sensitive data we store. Once a member has logged in the site reverts to http (and the alert begins to display in browsers). Using https on all pages actually breaks some things the forum. Offsite links and hosted images may no longer work, ads don't display, photos, etc.
So... as you login the page is secure (https) but once you have logged in the regular site is http. Since no login/pass info is being sent on these pages we believe this is safe and reasonable. We will eventually switch to full SSL but as noted by other posters there are some concerns to weigh as we make that choice.
You can read more about the google alerts here: https://www.wired.com/story/google-c...-secure-label/
|
|
|
26-08-2019, 15:18
|
#25
|
Registered User
Join Date: Aug 2010
Location: Anacortes, WA
Boat: 55' Romsdal
Posts: 2,103
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by Lake-Effect
My bad - the CF login page is https.
|
My bad as well....
|
|
|
26-08-2019, 15:34
|
#26
|
Registered User
Join Date: Dec 2009
Location: Bundaberg, Qld.
Posts: 2,192
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by Janet H
Last year google began to push websites to use https instead of http as a security update. A few months ago they began to actually began to display that little red triangle;"not secure" on browser address lines.
|
Funny that, i do see the red triangle but only when posting, normal browsing through CF it's just the circled 'i' with not secure....
Posting....
Browsing....
|
|
|
26-08-2019, 16:56
|
#27
|
Registered User
Join Date: Jan 2015
Location: Seattle, WA
Boat: 1980 Pacific International Marine 41.5
Posts: 718
|
Re: CF Passwords Hacked?
Man I wish I thought of that site...talk about an amazing way to generate a very valid password dictionary
|
|
|
27-08-2019, 01:28
|
#28
|
Registered User
Join Date: Jul 2019
Posts: 36
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by LongRange
It wouldn't matter if the site was jointly run by Mahatma Gandhi, Martin Luther King, and Che Guevara - providing your password so that a third-party can tell you whether you're supposedly secure is technically called Just Asking For It
|
It actually doesn't ask for it in combination with anything else, so it's fairly useless from that standpoint of "just asking for it" - it's in fact a rather valuable tool to see if a password you are using has been found "in the wild" - because if it has, chances are good you will get your **** hacked sooner or later due to credential stuffing attacks.
Agree on the SSL cert though; these days you can get them for free from LetsEncrypt - good for 90 days, unlimited renewals.
|
|
|
27-08-2019, 01:31
|
#29
|
Registered User
Join Date: Jul 2019
Posts: 36
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by chowdan
Man I wish I thought of that site...talk about an amazing way to generate a very valid password dictionary
|
You'd still need a dictionary beforehand since it doesn't actually give you a list of passwords. Even using their API you don't get to see any passwords, just anonymized SHA1 hashes. Check the technical details on it, it's quite interesting.
And of course, if you hammer their API to see if your dictionary list is any good, they'll block you faster than you can see it coming
|
|
|
27-08-2019, 21:56
|
#30
|
Registered User
Join Date: Jan 2015
Location: Seattle, WA
Boat: 1980 Pacific International Marine 41.5
Posts: 718
|
Re: CF Passwords Hacked?
Quote:
Originally Posted by benvanstaveren
You'd still need a dictionary beforehand since it doesn't actually give you a list of passwords. Even using their API you don't get to see any passwords, just anonymized SHA1 hashes. Check the technical details on it, it's quite interesting.
And of course, if you hammer their API to see if your dictionary list is any good, they'll block you faster than you can see it coming
|
That's not what I meant.
Their service has a db store of all hacked passwords right? As a user, you enter your questionable password and they validate against the db checking to see if its stored.
If stored return "password found", else return "password not found".
What I was saying was that you could easily build a very valid dictionary by building the website. Sure you could have hacked passwords to validate against, but youd gain metrics on something like how popular a password is, or redirects to your site, email addresses(selling lists for example)... all sorts of goodies that could be used for malicious purposes.
I'm not saying that this site is doing that, but they have the ability to do some very malicious things.
|
|
|
|
|
Thread Tools |
Search this Thread |
|
|
Display Modes |
Rate This Thread |
Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
Advertise Here
Recent Discussions |
|
|
|
|
|
|
|
|
|
|
|
|
Vendor Spotlight |
|
|
|