- Posts: 174
- Thank you received: 0
Turns All Year - Unsecure
- BrianT
- [saxybrian]
- Topic Author
- Offline
- Junior Member
If you are using this site, I'd recommend that you change your passwords on any other site you use to be something other than this password used here. Let me show you why.
The first PIC attached (login.png) shows you the login page. While your password is 'masked' here, and looks secure, when you make the actual request to login request to TAY, it's sent over unencrypted HTTP traffic and the data is actually stored in the POST body of the request.
This means that if anyone reviewed this packet being sent to TAY, they could see your username/password as nothing is encrypted. So, if you're using the same username/password that you use when you bank, I'd highly recommend changing it.
Please Log in or Create an account to join the conversation.
- BrianT
- [saxybrian]
- Topic Author
- Offline
- Junior Member
- Posts: 174
- Thank you received: 0
Please Log in or Create an account to join the conversation.
- Charlie Hagedorn
- [trumpetsailor]
- Offline
- Elite Member
- Posts: 913
- Thank you received: 1
HTTPS, however, would be awesome.
Please Log in or Create an account to join the conversation.
- BrianT
- [saxybrian]
- Topic Author
- Offline
- Junior Member
- Posts: 174
- Thank you received: 0
I admired TAY's timelessness; ceding our identities to a third party for authentication would be a bummer.
HTTPS, however, would be awesome.
Just curious as to why it would be a bummer? Most if not all of us are already a member of FB/Amazon/G+, why not let them deal with the authentication part of this. We could still keep our own usernames/etc.., we just wouldn't have to have TAY handle the PW Auth, and hashing/salting the PW on the back-end DB. Less over head and it's a hell of a lot more secure than doing it yourself as the sessions are all handled by encrypted Cookie tokens
Please Log in or Create an account to join the conversation.
- Charlie Hagedorn
- [trumpetsailor]
- Offline
- Elite Member
- Posts: 913
- Thank you received: 1
In short, it's absolutely easier for a webmaster to defer authentication over to a social network, ad-network/search engine, or department store. It'll work well and be both very secure and continuously updated.
I'm just uncomfortable making a third-party company a gatekeeper for our community. If one day one of those companies decides to freeze a TAYer's account, for any reason, then they'd no longer be able to log in to TAY. That'd be a bummer.
Please Log in or Create an account to join the conversation.
- flowing alpy
- [flowing alpy]
- Offline
- Platinum Member
- Posts: 1272
- Thank you received: 0
Please Log in or Create an account to join the conversation.
- skykilo
- [skykilo]
- Offline
- Senior Member
- Posts: 304
- Thank you received: 0
I would just quit the site rather than use FB or something like it for access.
I use it every day and it does not matter one bit that weather.gov is unsecure.
Please Log in or Create an account to join the conversation.
- T. Eastman
- [T. Eastman]
- Offline
- Senior Member
- Posts: 288
- Thank you received: 0
I would just quit the site rather than use FB or something like it for access.
Ditto!!!
Please Log in or Create an account to join the conversation.
- Lowell_Skoog
- [Lowell_Skoog]
- Offline
- Platinum Member
- Posts: 1460
- Thank you received: 16
Please Log in or Create an account to join the conversation.
- OregonDead
- [OregonDead]
- Offline
- Junior Member
- Posts: 93
- Thank you received: 0
Please Log in or Create an account to join the conversation.
- BrianT
- [saxybrian]
- Topic Author
- Offline
- Junior Member
- Posts: 174
- Thank you received: 0
Please Log in or Create an account to join the conversation.
- hyak.net
- [hyak.net]
- Offline
- Premium Member
- Posts: 601
- Thank you received: 0
Please Log in or Create an account to join the conversation.