I changed my password and it was emailed to me in cleartext? This is terrible, terrible, terrible. May as well not even have a password at that point. Is there a reason this is done?

(I'm traveling starting tomorrow, so I'll be slow on commenting/responding.)

All RPoL is sent in clear text.  Have you ever noticed that, when you log in, you're not logging into an HTTPS server but plain old HTTP?


ETA: Previous thread here: link to a message in this forum
This message was last edited by the user at 01:59, Fri 03 July 2015.

I die

I agree with the user sentiment expressed in that old thread -- it's better to have some token of security than none at all.

I agree with those who believe that user security starts with the user: Don't use the same password at multiple sites.  I teach computer security to office workers, and that's one of the first things I have to hammer into them. You wouldn't reuse a condom and expect to be protected, so don't reuse passwords.

I laughed so hard my cat and dog fell out of their comfy seats.  I'm stealing this one for future use. =)

I'm glad you liked it.  It tends to stick with the people I have to teach, too.  ^_^

In reply to kouk (msg # 4):

TSA employee?


The security is there: the only people who can see your password when it's mailed to you are the people who have access to your email account.  And then whoever is snooping.  If someone's sniffing your packets, you've got bigger security issues.
This message was last edited by the user at 14:29, Sun 05 July 2015.

My password is transmitted in the clear over radio waves, and then up through our network and on to whatever RPoL does. I do packet-sniff my own network. I know plenty of people who do so on public networks.

I should probably check my RPoL cookies to see if it's saved there too.

I do agree, given it's just a role-playing site, a pretense of authentication is better than not, and isn't likely to cause too much harm to people using the site on its own. But it does have the potential to cause other harm. I'm willing to bet that even Evil Empryss doesn't have two dozen unique passwords for all the sites she visits! I also do computer security and RPoL gets my 'disposable' password, but that doesn't mean it's the case for the average user.

You're right, katsiara: like you I have passwords I use that are "disposable" that will only get you access to sites I won't be bothered much if they get hacked.  But even those are usually capital letter, number, lower case letter, and symbol (if the site is set up to accept symbols in passwords; amazingly, some sites still aren't).  There are tricks you can learn to help you make memorable yet secure and hard to guess passwords, so I really do have about two dozen different passwords.

But the "average" user needs to bring their standard of security up rather than depend solely on other people to protect them.

I use 'LastPass'.  I've finally come to the conclusion that since that most sites, even the ones that have about 1/10th of the information about me that I have posted on my Facebook require a password that I either will never remember or need to keep written down where it can be lost or stolen, I'll just trust to that method.


Your password must contain at least 1 capital letter, 1 lower case letter, 1 number, one symbol, no consecutive numbers forward or backward, cannot be or contain a word or an approximation of a word, cannot contain numbers in consecutive order of your birthday, social security number or zip code, forward or backward, cannot be one that you've used before, or contain one that you've used before.

Yeah.  I'm going to remember that.

Here's an easy trick that's good for most passwords: pick a word at least six letters long and not obviously associated with you (like a name or the kind of car you drive) but one you can remember.  The example I usually use is "hoodie".  Now mix it up with numbers and symbols: H0o6!3

That isn't going to hit as a "word" in any database, and is relatively secure.  Pick longer words for more security.  I'm not saying that they'll never be hacked, but if you aren't writing them down on sticky notes stuck to the underside of your keyboard they'll be a lot harder for someone to guess.

And you might think the sticky note thing is a joke, but I'm still fighting with my boss over putting stickies with her passwords on the bloody monitor for everyone to see!

http://imgs.xkcd.com/comics/password_strength.png

Actually ^ this is the way to go.  Enjoy, have a laugh, memorize, and laugh some more.

In reply to GamerHandle (msg # 13):

I was gonna post that, but you beat me to it :-)

A simple word with numeric/symbol substitutions is surprisingly easy to break, sadly enough.

Password complexity is one of those things IT people get really excited about, but really means little.  The system itself should resist attempts to hack passwords via lockouts, etc.

Most user passwords are lost because someone gives them away without realizing it.

I heard in class (from the teacher of computer security), that passwords shorter than 15 digits can be split into two 7 digit componants and cracked seperately.

Also, dictionary attacks would defeat the password in the cartoon linked above, though using mostly words with just a few weird things should be good.

LANMAN password hashes are made of two seven character hashes.  This is one reason that you will see recommendations to require users to do passwords longer than 14 characters.  However, you can configure your AD and local machines not to store these weaker hashes as long as you don't have something that is stuck having to use the older hash methods to authenticate.

In reply to DarkLightHitomi (msg # 16):

To the last part, true and not true.  A 'dictionary' attack does not just target standardized dictionary words.  Also, using multiple words ups the complexity of the attack.  Dictionary attacks DO look for letter substitutions.  However, four words in a 30-character password is actually still quite a long crack.

In reply to GamerHandle (msg # 13):

Thanks. My new universal password is correcthorsebatterystaple.

In reply to Gaffer (msg # 19):

LOL.  Sadly, that would STILL Be better than what a lot of people do (like people who, as mentioned-above, paste their own passwords on sticky notes.)