TV Tropes Org

Forums

Tech Wishlist & Bug Reports:
More password security, please
search forum titles
google site search
Kickstarter Message
TV Tropes Needs Your Help
X
Big things are happening on TV Tropes! New admins, new designs, fewer ads, mobile versions, beta testing opportunities, thematic discovery engine, fun trope tools and toys, and much more - Learn how to help here and discuss here.
View Kickstarter Project
Total posts: [13]
1

More password security, please:

I just tried to change my password, only to realize that...

  1. . This can be done without entering the old password
  2. . The old password is shown in plain text.
  3. . The fact that an account tend to stay logged in after the browser is shut down makes it easy for whoever come next to #1 hijack the account by not only using the account but also changing the password, and #2 log in to any community where the user used the same password.

Changing this would be a good thing. Sorryif there's a thread for this already and I missed it. I did check, but I have a headache today and even missed one obvious link.

edited 3rd Nov '11 5:48:52 AM by Xzenu

 2 Fighteer, Thu, 3rd Nov '11 6:42:46 AM from the Time Vortex Relationship Status: Dancing with Captain Jack Harkness
Geronimo!
Passwords are stored in cookies. You should never save your login cookie on a shared computer. This is Security Basics 101.

I know that. And I'm also very restrictive with what computers I log in from.

Yet, people sometimes do mistakes. And what about visitors?

Dragon Writer
Being able to change your password without verifying the current on is a security flaw. Current password is used to prove that you are, in fact, the owner of the account and authorized to do so.
[up]Except your password is stored in the login cookie, making that nothing but security theater. This also has the side effect that you need to relogin on other computers/browsers/profile you do stay logged in on if you change your password.
Yeah, unwritten rule number one: follow all the unwritten procedures. - Camacan
For the average user, there's a huge difference between clicking a link and opening up a cookie.

The change pass page does verify that the handle/password combo is valid before offering the screen.

If you change your password and some other machine has you logged in with a different password, that machine's combo becomes invalid.

edited 3rd Nov '11 1:28:00 PM by FastEddie

Goal: Clear, Concise and Witty
 8 Fighteer, Thu, 3rd Nov '11 1:50:08 PM from the Time Vortex Relationship Status: Dancing with Captain Jack Harkness
Geronimo!
In an ideal world, the local cookie would store the handle and password in encrypted form so that a third party can't simply open it and read it. Similarly, the password change form should require that the current one be input manually rather than automatically copied from the cookie. Any form input that takes the password from the cookie should handle it encrypted rather than in plaintext.

That said, Eddie has publicly stated that handle security on this wiki is not an issue with which he is strongly concerned. I can't honestly count a single issue of a compromised TV Tropes account that we've been able to verify.

^ That's theater, encrypting the cookie. Copying the encrypt is just as easy as copying the text. It only matters to humans, what the sense of the string is.
Goal: Clear, Concise and Witty
 10 Fighteer, Thu, 3rd Nov '11 2:19:53 PM from the Time Vortex Relationship Status: Dancing with Captain Jack Harkness
Geronimo!
Hmm, true. But lots of sites store encrypted passwords in their cookies; it must have some security value — the biggest one, of course, being to prevent someone from just changing your password without you knowing.

It's just a reflex. A lot of sites do stuff that is security-like without actually being security.

edited 3rd Nov '11 2:23:02 PM by FastEddie

Goal: Clear, Concise and Witty
Precautions that doesn't protect against computer experts still protect against nosy relatives - the majority of them are only familiar with the kind of cookies bought in grocery stores. :-)

I'm not asking you to make it a big priority. But if you could eventually make the two changes I'm asking for, I'd appreciate it.

  1. Make it so that the current password is not spelled out in plain text in the browser window.
  2. Make it so that you have to type in your current password in order to switch to your new password.

Dragon Writer
@Log: Good piont, I forgot that TV Tropes doesn't use session cookies, just login cookies. Of course, it does mean the username/pass is being sent cleartext with every request, but that's almost par for the course.
The system doesn't know you right now, so no post button for you.
You need to Get Known to get one of those.
Total posts: 13
1


TV Tropes by TV Tropes Foundation, LLC is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available from thestaff@tvtropes.org.
Privacy Policy