Turns All Year - Unsecure

I'm starting a new topic from the "Silas hacked" topic. I just want to make sure Marcus and all people who use this site that their data username/passwords are not safe when logging in.

If you are using this site, I'd recommend that you change your passwords on any other site you use to be something other than this password used here. Let me show you why.

The first PIC attached (login.png) shows you the login page. While your password is 'masked' here, and looks secure, when you make the actual request to login request to TAY, it's sent over unencrypted HTTP traffic and the data is actually stored in the POST body of the request.

This means that if anyone reviewed this packet being sent to TAY, they could see your username/password as nothing is encrypted. So, if you're using the same username/password that you use when you bank, I'd highly recommend changing it.

After pointing this out, could we look at using something like FB/Google/Amazon Integration with our logins so that no username/password has to be passed along or stored on the site?

I admired TAY's timelessness; ceding our identities to a third party for authentication would be a bummer.

HTTPS, however, would be awesome.

I admired TAY's timelessness; ceding our identities to a third party for authentication would be a bummer.

HTTPS, however, would be awesome.

Just curious as to why it would be a bummer? Most if not all of us are already a member of FB/Amazon/G+, why not let them deal with the authentication part of this. We could still keep our own usernames/etc.., we just wouldn't have to have TAY handle the PW Auth, and hashing/salting the PW on the back-end DB. Less over head and it's a hell of a lot more secure than doing it yourself as the sessions are all handled by encrypted Cookie tokens

Saw a friend on a streetcorner tonight, and among the first things he had to say was, "I need to talk with you about FB auth on TAY", so I'd better respond .

In short, it's absolutely easier for a webmaster to defer authentication over to a social network, ad-network/search engine, or department store. It'll work well and be both very secure and continuously updated.

I'm just uncomfortable making a third-party company a gatekeeper for our community. If one day one of those companies decides to freeze a TAYer's account, for any reason, then they'd no longer be able to log in to TAY. That'd be a bummer.

I got 2 cyber accounts, here and the mothership. But really I'm just around to find out where the 3rd party is at. Plus, Silas is skiing fine.

Wasn't it always obvious that this is not secure? Does anybody care?  Are you storing your important account number, SSN and PINs in your TAY messages or something!?

I would just quit the site rather than use FB or something like it for access.

I use it every day and it does not matter one bit that weather.gov is unsecure.

I would just quit the site rather than use FB or something like it for access.

Ditto!!!

I have scores of passwords for different online accounts. I certainly don't use the same password for TAY that I use for sites that contain important financial or personal information. If somebody hacked my TAY password I would just change the password and then (maybe) patch up whatever they hacked. Not a big problem, in my view.

Shit. Now everyone can find my secret stash.

I get the "I don't wanna use FB Login" but if you already have a FB Account, there's really nothing you're losing with this. Not to mention you're taking some security off the site which is good for Admins. There's many other ways to handle this, TAY could implement Auth0 or a number of other security measures. It's bad practice to have any kind of username/pw sent over clear text.

As long as everyone is aware just make sure your TAY account pw is unique. Personally I'm not too worried about someone getting into my account to see my PM's or whatever. They can't spend my money using this login so what harm can someone really do beyond being annoying?