Blockland Forums > General Discussion
The Blockland Bulletin
cucumberdude:
--- Quote from: Kalphiter on March 09, 2011, 11:34:11 PM ---There's your problem.
You just told us all that you have no clue what you're doing. We can't prove you're hashing them server-sided. If they are hashed a few times client-sided, we know that you cannot possibly harvest any passwords. You offered no evidence that you care and do not seem to have the knowledge to do so.
--- End quote ---
So you're suggesting that someone would hypothetically be intercepting login attempts between the client and server? Very unlikely, I'd say.
If you're worried that I'm not hashing serverside, I can't prove that to you.
--- Code: --- <form action="/login.php" method="post">
<div id="login-form">
<table width="100%" cellspacing="5" cellpadding="0">
<tr>
<td width="50%"><label>Username:</label></td>
<td width="2%"> </td>
<td width="48%"><input name="username" type="text" maxlength="40" size="20" /></td>
</tr>
<tr>
<td width="50%"><label>Password:</label></td>
<td width="2%"> </td>
<td width="48%"><input name="password" type="password" maxlength="25" size="20" /></td>
</tr>
</table>
<div id="forgot-pass">
<span class="small"><a href="/recover.php">Forgot your password?</a></span>
</div>
</div>
<input type="submit" style="visibility: hidden" />
</form>
--- End code ---
From the RTB login. What am I doing differently? Is my princess in a different part of the code? I'd honestly love to improve RBL.
EDIT: Haha.
--- Quote from: Scout31 on March 09, 2011, 11:31:55 PM ---You have no idea what you're doing. Stop, and come back in about a year.
--- End quote ---
--- Code: ---<html>
<head>
<link rel="stylesheet" href="http://backupblockland.us/include/style.css" />
<link rel="shortcut icon" href="http://backupblockland.us/favicon.ico"/>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-20064500-1']);
_gaq.push(['_setDomainName', '.backupblockland.us']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-brown townytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<meta http-equiv="X-UA-Compatible" content="IE=9" />
<title>Back-up Blockland | Log-in</title>
</head>
<body>
<h1>Back-up Blockland</h1>
<div id="nav">
<ul id="nav">
<li><a href="http://backupblockland.us/index.php">Home</a></li>
<li><a href="http://backupblockland.us/news.php">News</a></li>
<li><a href="http://backupblockland.us/service.php">Services</a></li>
<li><a href="http://backupblockland.us/contact.php">Contact</a></li>
</ul>
</div>
<br />
<br /> <div id="contentbox" align="center">
<div id="content">
<form name="input" action="index.php" method="post">
<table>
<tr><td>Username:</td><td><input type="text" name="user" /></td></tr>
<tr><td>Password:</td><td><input type="password" name="pass" /></td></tr>
<input type="hidden" name="filled_login" value="1"/>
</table>
<input type="submit" value="Submit" />
</form>
</div>
</div>
</body>
</html>
--- End code ---
Login code from your site.
ANOTHEREDIT:
And, by the way, client side hashing is trivial in terms of stopping potential attackers - because the serverside is waiting for a hashed password, if someone intercepts the clientside hashed password they can login anyways.
Kalphiter:
--- Quote from: cucumberdude on March 09, 2011, 11:40:55 PM ---So you're suggesting that someone would hypothetically be intercepting login attempts between the client and server? Very unlikely, I'd say.
If you're worried that I'm not hashing serverside, I can't prove that to you.
--- End quote ---
But if it was hashed client-sided, then you couldn't possibly reverse that process and thus you can't retrieve any passwords.
Scout31:
That I made a year ago, stopped, then came back knowing more about web stuff. Plus, it wasn't even done or advertised, where you advertised yours a done feature. Its practical for anything WIP to be insecure and buggy.
Sheath:
I think you need to be careful about what you consider bias.
Bias is not something you disagree with
Bias is not something thats written from a perspective you don't like
Bias is not something thats opinionated
Just because you disagree with the article doesn't make it bias. Its reporting is based on words from other users, quotes from Ephi, and a perspective thats there for you to agree or disagree with. There is no prejudice or favor in what was written. Obviously someone in higher power is expected to be more responsible, and the article was exposing what could be considered irresponsibility.
cucumberdude:
--- Quote from: Scout31 on March 09, 2011, 11:50:33 PM ---That I made a year ago, then came back knowing more about web stuff. Plus, it wasn't even done or advertised, where you advertised yours a done feature. Its practical for anything WIP to be insecure and buggy.
--- End quote ---
Actually, I made it quite clear that it was constantly under devellopment - it was even taken down a couple of times initially to address some other non-hash related security concerns.
--- Quote from: Kalphiter on March 09, 2011, 11:49:18 PM ---But if it was hashed client-sided, then you couldn't possibly reverse that process and thus you can't retrieve any passwords.
--- End quote ---
That's true. I'll go and add a SHA256 javascript encryption clientside if that helps. Presumably, JS and PHP SHA256 work with the same exact algorithm?
On the topic of my knowledge of PHP;
It's true. I'm by no means a professional, especially when it comes to web security. But everything is a learning process. If I can't make mistakes, then I can't progress. I'll admit, it was stubborn and silly of me to initially refuse to hash passwords. With passwords safely hashed in the database, there is no longer a real security threat - apart perhaps to those who believe that I have some sort of password collection agenda (to what, end I don't know - having access to a random bunch of lego game forum accounts seems pretty useless).
It's worth keeping in mind that the registration clearly asks users NOT TO USE THEIR FORUM PASSWORD - if I were trying to collect passwords, why on earth would I try and discourage users from doing that?