Enhancement of Forum Security
Hi,
during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:
Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.
during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:
- Neither the traffic for the registration nor for the login pages is encrypted by using TLS/SSL-enabled HTTP (HTTPS). This means that every single password used for registration or login is transferred via the web as clear text, readable for everyone.
- The registration confirmation e-mail that is sent out once the registration process is completed contains the chosen password as clear text.
Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.
