Make sure your SHGA password isn't used anywhere else

Having problems with this site? Have Suggestions? Can't login? Check here for possible solutions. Anonymous postings ARE NO LONGER allowed here (thanks to the AUTO-BOTS spamming us).

Post Reply
User avatar
OP
Posts: 1134
Joined: Wed May 27, 2009 9:28 am
Location: SFV

Make sure your SHGA password isn't used anywhere else

Post by OP » Sun Sep 08, 2013 5:30 pm

It's incredibly insecure. It broadcasts the username and password in plane text in easily sniffed packets.

Image

User avatar
JD
Posts: 1696
Joined: Fri Apr 25, 2008 11:05 am

Post by JD » Mon Sep 09, 2013 7:06 am

Thanks OP. How did you access this information? Is this something that anyone could do using Freeware like Wireshark?

User avatar
OP
Posts: 1134
Joined: Wed May 27, 2009 9:28 am
Location: SFV

Post by OP » Mon Sep 09, 2013 3:27 pm

Yea that's freeware. Wireshark is shown in the jpeg. Try it on yourself to see how easy it is.




:o

User avatar
JD
Posts: 1696
Joined: Fri Apr 25, 2008 11:05 am

Post by JD » Mon Sep 09, 2013 5:31 pm

OP wrote:Yea that's freeware. Wireshark is shown in the jpeg. Try it on yourself to see how easy it is....
Thanks OP. See you at the Dahlston

User avatar
Chip
Site Admin
Posts: 645
Joined: Thu Apr 28, 2005 8:20 pm
Location: Sylmar, CA
Contact:

Post by Chip » Mon Sep 09, 2013 7:59 pm

Uh, easy enough when you on the same network or using the same computer you are using to sniff. Otherwise you need to intercept them. So not as easy as you might be leading others to believe.

Sure it would be nice to move to phpBB3 where we can use something other than the default MD5 hash encryption method. But we'll need to re-write a significant portion of the web site to work with mySQL since phpBB3 does not work with msaccess (our current DB).

About a year and a half ago, I successfully tested the upgrade from phpBB2 to 3. It was relatively easy but because the new forum uses a new login hash the SHGA pilot login section would need re-written at a minimum.

Step up anytime you are willing to put in the hours

User avatar
OP
Posts: 1134
Joined: Wed May 27, 2009 9:28 am
Location: SFV

Post by OP » Wed Sep 11, 2013 2:12 pm

Just a warning to those who use a single password for everything. If share a common wifi network, I can get your info. So if we are both on the wifi in the lz, I can easily read your username and password.

Just a word to all who do this:
Oh look free unprotected wifi at the coffee shop. Let me log into SHGA, facebook, email and my bank. They could figure out who you are and "go chop your dollar." http://bit.ly/QGmW2U

Migrating looks like a huge hassle. This works great for our purposes. Thanks for running this thing for us chip.

User avatar
Chip
Site Admin
Posts: 645
Joined: Thu Apr 28, 2005 8:20 pm
Location: Sylmar, CA
Contact:

Post by Chip » Sun Sep 15, 2013 8:34 am

Strongly suggest that everyone use a password manager like RoboForm, LastPass, Keepass.

Most of them have some sort of password generator that randomizes the password and can keep track of the password changes for each site you visit.

I'm using RoboForm, but many people are using LastPass and like it for its dual factor authentication options. Either way, a password manager is a good way of having passwords that are separate for every place on the internet you visit and you only need to remember one master password.

Easy to install, takes a bit of trust to go completely in, but once you start using one, you'll wonder why it took you so long to start using one.

Concerned that you cannot use it if you aren't at the computer you installed it on? Don't be. All of them have a way to view the password online after you authenticate with the correct credentials. Most good password managers also work with your smart phone too.

Post Reply