Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cookie Abuse 1

Status
Not open for further replies.
tangram

tangram

IS-IT--Management
Oct 31, 2001
18
GB
Just a quick note for everyone looking at, or is interested in security. If you use the 'Remember Me' option at the beginning of this site to assist your logging in, the cookie that is saved on your machine will contain your username and password IN PLAIN TEXT!

I've e-mailed the site, but haven't received a response and they haven't fixed this glaring great hole in their security, so I would advise everyone to use a different user-name and a different password then your normal ones just for this site.

It's the stupidity of site builders like these that gives cookies a bad name and get's peoples backs up to the point where the EU step in and start making ridiculous changes to the law.
 
Sort by date Sort by votes
The question is, why does this site need to have the security of a bank? No sensitive information is stored here. No social security #, no bank accounts, etc.. The "stupid site builders" are doing their best considering they aren't charging for this site and not storing any non-public info.

If you really need security, I'm sure they will be willing to charge for it. Then you CAN give them your credit card number. >:-<

Sorry about the rant but those that maintain this site are not stupid. If you don't want the cookie, don't accept it. James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.
 
Upvote 0 Downvote
personally i like this stupid site, and it's stupid builders

some people are just too damn paranoid.
 
Upvote 0 Downvote
The Tek-Tips stupid site builder has made automatically logging into this site really simple. So what if the password is stored in plain text?

This site blows away practically every other site on the Net for sheer useability both visual and technical. Spending time making 128 bit encryption for your password so no one can spoof member's technical posts can't be that high on their list.

But you could always ask the question :)
 
Upvote 0 Downvote
and you dont have to use the cookie feature .. it is optional
 
Upvote 0 Downvote
I totally agree with you lot in one respect; the site is fantastic, the people on it are great, the information is useful and this board has given me loads of ideas to play with. I’ve been a lurking for a while though this is the first time I’ve been compelled to post. So why is this a problem then and why did I raise the issue?

Fact is I don't give two hoots if anybody hacks into this site with my password. This is not, as has been pointed out, a bank. This site doesn't need to be secure in any way shape or form so from a site perspective it makes no difference at all.

Fact is though, how many of you use the same username and password on other sites, logins to corporate resources, your e-mail, you’re on-line banking, just to log into your computer? I tend to use only a few username and passwords most of the time and I don't know many of my colleges who bother with a different user-name and password for every site/database/bank etc that they use.

So you now have your very own unique username & password stored on your computer in one of the most insecure places it can be on your machine, the cookie bin. Anyone who has either physical access to your machine, or access through numerous backdoor methods also has access to this. So no, it matters not two hoots that this site can be spoofed, but that anybody looking at this information will potentially have your access details for every other secure location you use, I’m sure you would agree, is indeed an issue which is why it shouldn’t be done. Given that you guys are obviously interested in security, why else would you be looking at this thread, I’m very surprised that your not surprised that the site builders have chosen to do this.

This site is obviously put together using a very comprehensive database structure, so why not store your username and password details on the database, where it is secure already and not on your browser?

I’m sorry; maybe stupid is too strong a word to describe the site-builders who do a fabulous job. Misinformed and naive would perhaps be a better alternative.

I think the site is great and I love it, it’s a godsend. I will however choose NOT to make everyone else’s life easier by giving away information that should be secure. I was just pointing out that this sorry state of affairs exists and is a fabulous example of why cookies are being slated as being dangerous. Cookies are not dangerous, the people who build web-applications are the dangerous ones.
 
Upvote 0 Downvote
Your username and password details ARE stored in their database, otherwise how would they know that the ones you log in with are the correct ones? The only reason they're also stored in your cookie jar is that you ASKED for the site to do that with the &quot;Remember Me&quot; option. If you don't like it, uncheck that option and delete the cookies.

As for people who aren't bright enough to use a different password for a site like this and for their bank accounts: you can't protect people from their own stupidity. The password I use for my bank account is one I use NOWHERE ELSE. Sure it's one more password to remember, but if you can't remember one more password, especially one that important, you've got bigger problems than worrying about security.

True, there are ways around the problems you mention here, and if you ask nice instead of resorting to name-calling, they might even implement some of them. Until then, just don't use the &quot;Remember Me&quot; option if you don't like it, or change your darned password. Tracy Dryden
tracy@bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.
 
Upvote 0 Downvote
Tek-Tips cookies are now encrypted. The next time you accept a cookie from here it should replace the existing cookie with one that is encrypted,
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.
 
Upvote 0 Downvote
tangram,

Thanks for mentioning this. The cookie issue was on our &quot;To-Do&quot; list, but your post gave us the excuse to move it up on our priority list.

I've implemented a new system for the &quot;Remember Me&quot; option that stores your information with reasonably strong encryption. Also, any existing plain text cookies are encrypted as they come in.

Thanks again, and if you ever have any further issues with the Tek-Tips site, or if you have any questions comments or suggestions for us, please feel free to write us at feedback@tek-tips.com any time. Doug Trocino
dtrocino@tecumsehgroup.com
Technical Director
Tecumseh Group, Inc.
 
Upvote 0 Downvote
Tracy - &quot;As for people who aren't bright enough to use a different password for a site like this and for their bank accounts: you can't protect people from their own stupidity.&quot;

Well, that covers about 75% of the user base that I have to deal with, that includes the Directors and Senior Managers who have less idea about what they're doing on a PC then my nephew. Stupidity, for the most part anyway, doesn’t enter into it. Fact is they rely on us techies to give them software that works properly. You can't protect people from their own stupidity, I agree, but you can make damn sure that they aren't helped along the way by shoddy practice. I ASKED for the site to remember me, thereby giving permission to the system to install a cookie so I can log in quick. I didn’t ASK for the system to make my username and password public. Bad practice is bad practice regardless of the application. Your telling a user (me in this instance) ‘if you don’t like it take it off’ is a pretty poor attitude, especially for a programmer, to take. I bet if you said that to one of your bosses you’d be out on your ear damn sharp.

James you’re a Gent! :)
 
Upvote 0 Downvote
You are assuming an awful lot about other peoples
user bases...
For instance I have a user base that seems to be
maliciously stupid considering the amount of information
they have concerning procedures and the amount of
caution they practice as a consequence.

As far as &quot;techies' protecting them from themselves..
Forget it. I don't know where you work but unless
there are strong consequences for not obeying the
rules they won't be obeyed.

On the other hand an uninformed public is truly
vulnerable. So thanks for the warning.

Look at the latest outbreak of vulnerabilities in ms
products for instance.
Ask yourself: Who does this affect and why?
 
Upvote 0 Downvote
I'm assuming nothing about people’s user bases, but what has that got to do with the subject anyway? We do the best job we possibly can to protect our user base because that’s our job.

I've already agreed that it’s impossible to protect idiot users from themselves, but as professionals if we don’t strive to safeguard these people where possible then it’s us who are the idiots.
 
Upvote 0 Downvote
&quot;Stupidity, for the most part doesn't enter into it...&quot;
That's the topic I was discussing. I simply disagree.

As far as shoddy code goes..what can we do about that if
we didn't write it,and can't change it, except: NOT use it?
Who has that option?
 
Upvote 0 Downvote
Tangram: Actually, my boss feels exactly the same way I do! I'm sorry you have to deal with so many stupid people. All I can suggest is that you find yourself a position that you like better. Personally, I wouldn't work in that kind of an environment.

And as a programmer (and a damn good one), I try to make allowances for stupid people, but you can only do so much. I still say that anyone who uses the same password for their bank account and something like TekTips is irretrievably stupid. You simply can't make allowances for that kind of willful stupidity.

Or to put it another way: &quot;Every time I make the program idiot proof, they come up with a bigger idiot.&quot; (source of quote unknown).

I'm not saying that there isn't a better way to do the password thing. There obviously is, and Dave and Doug have worked hard to implement it. However, unless you are on a secure server, the password is STILL going to be transmitted in plaintext when you log on that first time. I have yet to find a reasonable way of securely encrypting a password via Javascript (and I HAVE looked). So the first time you enter your password it's still going to be transmitted in plaintext once. With the level of password paranoia you're talking about, that's still unacceptable. How would you solve it? Tracy Dryden
tracy@bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

noelboy
  • Locked
  • Question
Bandwidth Abuse
Replies
3
Views
57
voltron1011
voltron1011
purpleknight
  • Locked
  • Question
Cookies and Internet Explorer 8.
Replies
0
Views
24
purpleknight
purpleknight
Aett
  • Locked
  • Question
Checking a PC for suspected internet abuse. 1
Replies
4
Views
43
tfg13
tfg13
bam720
  • Locked
  • Question
Persistent Javascript Cookies
Replies
1
Views
42
bam720
bam720
cbaldo
  • Locked
  • Question
cookie filter
Replies
0
Views
25
cbaldo
cbaldo

Part and Inventory Search

Sponsor

Back
Top