|
Kickstarter Message
TV Tropes Needs Your Help
X
Big things are happening on TV Tropes! New admins, new designs, fewer ads, mobile versions, beta testing opportunities, thematic discovery engine, fun trope tools and toys, and much more - Learn how to help here and discuss here.
View Kickstarter Project
Total posts: [13]
More password security, please: ![]()
edited 3rd Nov '11 5:48:52 AM by Xzenu 2 Fighteer, Thu, 3rd Nov '11 6:42:46 AM from the Time Vortex
Relationship Status: Dancing with Captain Jack Harkness ![]() Geronimo!
Passwords are stored in cookies. You should never save your login cookie on a shared computer. This is Security Basics 101.
![]() ![]() Dragon Writer
Being able to change your password without verifying the current on is a security flaw. Current password is used to prove that you are, in fact, the owner of the account and authorized to do so.
![]() Yeah, unwritten rule number one: follow all the unwritten procedures. - Camacan
![]() ![]() edited 3rd Nov '11 1:28:00 PM by FastEddie 8 Fighteer, Thu, 3rd Nov '11 1:50:08 PM from the Time Vortex
Relationship Status: Dancing with Captain Jack Harkness ![]() Geronimo!
In an ideal world, the local cookie would store the handle and password in encrypted form so that a third party can't simply open it and read it. Similarly, the password change form should require that the current one be input manually rather than automatically copied from the cookie. Any form input that takes the password from the cookie should handle it encrypted rather than in plaintext.
That said, Eddie has publicly stated that handle security on this wiki is not an issue with which he is strongly concerned. I can't honestly count a single issue of a compromised TV Tropes account that we've been able to verify.
![]() 10 Fighteer, Thu, 3rd Nov '11 2:19:53 PM from the Time Vortex
Relationship Status: Dancing with Captain Jack Harkness ![]() Geronimo!
Hmm, true. But lots of sites store encrypted passwords in their cookies; it must have some security value — the biggest one, of course, being to prevent someone from just changing your password without you knowing.
![]() edited 3rd Nov '11 2:23:02 PM by FastEddie ![]()
![]() Dragon Writer
@Log: Good piont, I forgot that TV Tropes doesn't use session cookies, just login cookies. Of course, it does mean the username/pass is being sent cleartext with every request, but that's almost par for the course.
The system doesn't know you right now, so no post button for you.
You need to Get Known to get one of those.
Total posts: 13
TV Tropes by
TV Tropes Foundation, LLC is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available from thestaff@tvtropes.org. Privacy Policy |