Make sure your SHGA password isn't used anywhere else
Posted: Sun Sep 08, 2013 5:30 pm
It's incredibly insecure. It broadcasts the username and password in plane text in easily sniffed packets.
Sylmar Hang Gliding Association
Get High...Go Far...Tell Us About It
http://shga.com/forum/phpbb3/
Make sure your SHGA password isn't used anywhere else
Page 1 of 1
Posted: Mon Sep 09, 2013 7:06 am
Thanks OP. How did you access this information? Is this something that anyone could do using Freeware like Wireshark?
Posted: Mon Sep 09, 2013 3:27 pm
Yea that's freeware. Wireshark is shown in the jpeg. Try it on yourself to see how easy it is.
Posted: Mon Sep 09, 2013 5:31 pm
Thanks OP. See you at the DahlstonOP wrote:Yea that's freeware. Wireshark is shown in the jpeg. Try it on yourself to see how easy it is....
Posted: Mon Sep 09, 2013 7:59 pm
Uh, easy enough when you on the same network or using the same computer you are using to sniff. Otherwise you need to intercept them. So not as easy as you might be leading others to believe.
Sure it would be nice to move to phpBB3 where we can use something other than the default MD5 hash encryption method. But we'll need to re-write a significant portion of the web site to work with mySQL since phpBB3 does not work with msaccess (our current DB).
About a year and a half ago, I successfully tested the upgrade from phpBB2 to 3. It was relatively easy but because the new forum uses a new login hash the SHGA pilot login section would need re-written at a minimum.
Step up anytime you are willing to put in the hours
Sure it would be nice to move to phpBB3 where we can use something other than the default MD5 hash encryption method. But we'll need to re-write a significant portion of the web site to work with mySQL since phpBB3 does not work with msaccess (our current DB).
About a year and a half ago, I successfully tested the upgrade from phpBB2 to 3. It was relatively easy but because the new forum uses a new login hash the SHGA pilot login section would need re-written at a minimum.
Step up anytime you are willing to put in the hours
Posted: Wed Sep 11, 2013 2:12 pm
Just a warning to those who use a single password for everything. If share a common wifi network, I can get your info. So if we are both on the wifi in the lz, I can easily read your username and password.
Just a word to all who do this:
Oh look free unprotected wifi at the coffee shop. Let me log into SHGA, facebook, email and my bank. They could figure out who you are and "go chop your dollar." http://bit.ly/QGmW2U
Migrating looks like a huge hassle. This works great for our purposes. Thanks for running this thing for us chip.
Just a word to all who do this:
Oh look free unprotected wifi at the coffee shop. Let me log into SHGA, facebook, email and my bank. They could figure out who you are and "go chop your dollar." http://bit.ly/QGmW2U
Migrating looks like a huge hassle. This works great for our purposes. Thanks for running this thing for us chip.
Posted: Sun Sep 15, 2013 8:34 am
Strongly suggest that everyone use a password manager like RoboForm, LastPass, Keepass.
Most of them have some sort of password generator that randomizes the password and can keep track of the password changes for each site you visit.
I'm using RoboForm, but many people are using LastPass and like it for its dual factor authentication options. Either way, a password manager is a good way of having passwords that are separate for every place on the internet you visit and you only need to remember one master password.
Easy to install, takes a bit of trust to go completely in, but once you start using one, you'll wonder why it took you so long to start using one.
Concerned that you cannot use it if you aren't at the computer you installed it on? Don't be. All of them have a way to view the password online after you authenticate with the correct credentials. Most good password managers also work with your smart phone too.
Most of them have some sort of password generator that randomizes the password and can keep track of the password changes for each site you visit.
I'm using RoboForm, but many people are using LastPass and like it for its dual factor authentication options. Either way, a password manager is a good way of having passwords that are separate for every place on the internet you visit and you only need to remember one master password.
Easy to install, takes a bit of trust to go completely in, but once you start using one, you'll wonder why it took you so long to start using one.
Concerned that you cannot use it if you aren't at the computer you installed it on? Don't be. All of them have a way to view the password online after you authenticate with the correct credentials. Most good password managers also work with your smart phone too.