Is loveforum login really secure?

[anachronistic]

<form action="http://www.loveforum.net/login.php?do=login" method="post" onSubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">

I never really bothered to look until just now. How come SSL isn't being used? Or HTTPS? Is md5hash really secure?

[Gigabitch]

No idea. I just do stuff on the front end, not the back end.

[anachronistic]

Completely understandable, I am expecting an answer from loveadmin, because I doubt any moderators deal with server-end applications.

Also expecting some debate from technical users who know a bit about that.

My understanding is that MD5 is quite insecure, and I am just suggesting that SSL/HTTPS be used instead.

[IndiReloaded]

Not a direct answer, but a caution for the unwary:

Nothing you commit to the internet should be considered secure. Emails can be read by system admins, IP addressses can be traced (sometimes), that sort of thing. There are ways to check who's looking (we look periodically to see who has pinged our computers) & its sometimes interesting to see what you find.

Its that old saying: if you don't want to be held accountable for saying it, don't say it.

[anachronistic]

Words of wisdom from Indi; of course precautions should be taken into consideration. But what I am getting at is even more important; the user login of the forum uses an algorithm of cryptography, called MD5, which is known for its simple vulnerabilities. Its hashes are easily decoded, because they are very simply encrypted. What does this mean? Well, someone that knows what they are doing could phish a page to you, because it is not HTTPS, and get your username and password. They could also retrieve the hash of the username/password and decrypt it, and have access to your account here (and possibly other websites, and more personal information if you use the same password for everything)

As I recall, this has happened already with one account (Dono) and vulnerability remains open.

I am just looking out for this community by examining the issue. Time and time again in my experience as a server specialist and web designer, my opinion is that users tend to use the same username/password for everything. I am informing the public about this, and hopefully they will make any necessary changes, to ensure their security, but it is not guaranteed.

I also think it is the duty of administrative staff, even moderators on forums, to do everything they can, within reasonable boundaries, to eliminate any such problems. Why? Well, that is how the successful websites do it. The mindset of "Pfft, well that's just how the Internet is," is somewhat hindering, because it is, in a way, avoiding a problem. Sure, that's how the Internet is now, but it is not adamant. It can be changed, for the better, or for the worse. I am here to make it for the better, as I see it. Don't you want that? Don't you care?

And from a philosophical point, nothing in this world is secure. Nothing is symmetrical. So this lesson can be applied to actual life, too. I am actually writing about that in my freetime. A life of independence is a perfect one.

Oh, and I want to be recognized for the things I say. Even on here. I take full credit for all of it, but unfortunately, some sneaky bastard will probably take that away from me. Oh well. Hopefully what I said was so cleverly toned and original, that nobody could ever imitate it and call it their own. HA!

[Kiechi]

I don't think anyone really cares to be honest.

[AdminOnline]

Sorry for the late answer. Just to assure everyone that the login is secure.

[Illusional]

yup, i don't really care. that's why i have a million and one passwords.. i have to write everything down to keep track of them. of course i lock them in my safe that has the same combination as my birthday so that i will never forget it. i'm all good.

raverboy

[lesa]

yup, i don't really care. that's why i have a million and one passwords.. i have to write everything down to keep track of them. of course i lock them in my safe that has the same combination as my birthday so that i will never forget it. i'm all good.

raverboy

lol. Your SO, family, or friends can break into home and get it.

[AdminOnline]

yup, i don't really care. that's why i have a million and one passwords.. i have to write everything down to keep track of them. of course i lock them in my safe that has the same combination as my birthday so that i will never forget it. i'm all good.

raverboy

Just wonder is rboy drunk while writing this?

[Illusional]

i probably was drunk when i wrote that. or atleast i thought i was.

raverboy

[anachronistic]

I never pictured raverboy as such a paranoid. Tell me, raverboy, do you insert your butt plug every day to keep yourself on your toes?

Anyway, I actually just used md5 to encrypt a user database on a website I am designing; first I encrypt it with md5, and then it is encrypted again with the MySQL encryption. And then the login uses SSL for maximum security.

[Illusional]

I never pictured raverboy as such a paranoid. Tell me, raverboy, do you insert your butt plug every day to keep yourself on your toes?

Anyway, I actually just used md5 to encrypt a user database on a website I am designing; first I encrypt it with md5, and then it is encrypted again with the MySQL encryption. And then the login uses SSL for maximum security.

paranoid?? i only keep my butt plug in because i'm worried that gay people like you want to stick your thing up my ass.

raverboy

[TAVS]

MD5 is definitely secure, but you still have to use a somewhat complex password. If you use the word apple, for example, it wouldnt be that hard to figure out even with md5. But there is one thing to always keep in mind, on any site ask yourself, is someone really going to spend that much time and that much computing power to try and access your account on said site. I can bet nobody is going to put in such effort to get your loveforum pass

[AdminOnline]

MD5 is definitely secure, but you still have to use a somewhat complex password. If you use the word apple, for example, it wouldnt be that hard to figure out even with md5. But there is one thing to always keep in mind, on any site ask yourself, is someone really going to spend that much time and that much computing power to try and access your account on said site. I can bet nobody is going to put in such effort to get your loveforum pass

TAVS! long time never see you here.

Our server is going move to denver, colorado very soon. I bet you will get a good ping from your home next week onward.