Passwords are stored in cookies. You should never save your login cookie on a shared computer. This is Security Basics 101.
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"I know that. And I'm also very restrictive with what computers I log in from.
Yet, people sometimes do mistakes. And what about visitors?
Being able to change your password without verifying the current on is a security flaw. Current password is used to prove that you are, in fact, the owner of the account and authorized to do so.
An Ear Worm is like a Rickroll: It is never going to give you up.Except your password is stored in the login cookie, making that nothing but security theater. This also has the side effect that you need to relogin on other computers/browsers/profile you do stay logged in on if you change your password.
Yeah, unwritten rule number one: follow all the unwritten procedures. - CamacanFor the average user, there's a huge difference between clicking a link and opening up a cookie.
The change pass page does verify that the handle/password combo is valid before offering the screen.
If you change your password and some other machine has you logged in with a different password, that machine's combo becomes invalid.
edited 3rd Nov '11 1:28:00 PM by FastEddie
Goal: Clear, Concise and WittyIn an ideal world, the local cookie would store the handle and password in encrypted form so that a third party can't simply open it and read it. Similarly, the password change form should require that the current one be input manually rather than automatically copied from the cookie. Any form input that takes the password from the cookie should handle it encrypted rather than in plaintext.
That said, Eddie has publicly stated that handle security on this wiki is not an issue with which he is strongly concerned. I can't honestly count a single issue of a compromised TV Tropes account that we've been able to verify.
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"^ That's theater, encrypting the cookie. Copying the encrypt is just as easy as copying the text. It only matters to humans, what the sense of the string is.
Goal: Clear, Concise and WittyHmm, true. But lots of sites store encrypted passwords in their cookies; it must have some security value — the biggest one, of course, being to prevent someone from just changing your password without you knowing.
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"It's just a reflex. A lot of sites do stuff that is security-like without actually being security.
edited 3rd Nov '11 2:23:02 PM by FastEddie
Goal: Clear, Concise and WittyPrecautions that doesn't protect against computer experts still protect against nosy relatives - the majority of them are only familiar with the kind of cookies bought in grocery stores. :-)
I'm not asking you to make it a big priority. But if you could eventually make the two changes I'm asking for, I'd appreciate it.
- Make it so that the current password is not spelled out in plain text in the browser window.
- Make it so that you have to type in your current password in order to switch to your new password.
@Log: Good piont, I forgot that TV Tropes doesn't use session cookies, just login cookies. Of course, it does mean the username/pass is being sent cleartext with every request, but that's almost par for the course.
An Ear Worm is like a Rickroll: It is never going to give you up.
I just tried to change my password, only to realize that...
Changing this would be a good thing. Sorryif there's a thread for this already and I missed it. I did check, but I have a headache today and even missed one obvious link.
edited 3rd Nov '11 5:48:52 AM by Xzenu