Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

DigNative

That's good to hear, thank you.
martin

Re: Enhancement of Forum Security

Thanks for your suggestions.

- We have removed password from registration email
- We are planning to use HTTPS for forum authentication
- We are not storing (never were) plain text passwords on our server
DigNative

Enhancement of Forum Security

Hi,

during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:

  1. Neither the traffic for the registration nor for the login pages is encrypted by using TLS/SSL-enabled HTTP (HTTPS). This means that every single password used for registration or login is transferred via the web as clear text, readable for everyone.
  2. The registration confirmation e-mail that is sent out once the registration process is completed contains the chosen password as clear text.

Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.