Hi Folks.
My name is Andrzej and I am a paranoid dude… I am also a user of Your free AV for Linux, and before that I was using Your free product on Windows… and I love it… and I have been recommending it to friends and family… And I think You guys are doing something wonderful. You care about users security on the internet and You do it free of charge… And this is why I feel compelled to do this…
I registered here yesterday and I have a few security tips for the forum admins…
First… Why on earth would somebody send me my password after I registered, in plain text, via e-mail in the confirmation letter?
A) If I was not paranoid and if I was not always using SSL between my Thunderbird and e-mail provider someone could “listen” to the content of the letter and get my password.
B) If You can send me the e-mail with the plain text password in it (I am afraid to ask) does it means that the e-mail is STORED in plain text format in Your database? DUDE!
C) If I didn’t changed the password immediately after noticing this and someone ever took over my e-mail - they would get the password to this forum on the silver platter… and they could do nasty things… Now at least they have to go into trouble of going to Your forum, clicking the “I forgot my password” button and waiting for the e-mail that will allow them to change the password to something they chose before spamming the forum with little blue pill ads…
D) This meant for me (and possibly other users too) - changing the password as soon as I have registered which meant extra work and time…
Conclusions? This is a BAD security practice. If I have registered with the forum - I entered a password and I probably remember what it was (or have it stored in LastPass or other secure password manager)… Why sending it to me in plain text? That’s so 90’s… If I cannot remember the password I will use the password reminder. I am not gonna tell You to hash and salt Your passwords in the database… you should know about it better then I do…
I hope that You will change that folks…
Another thing - the “Hide my e-mail from public” box… It’s not ticked by default… This is another bad security practice…
Let’s say a bunch of complete noobs registers at the forum and they have NO idea about the internet security routines. Heck they are probably giving their e-mail addys to the spammers for free just so they could get their first e-mail letter and to be “cool cats”… I know… If they don’t care… BUT guys - You are a security related bunch. You should know better… It’s like Windows XP and their Firewall allover again… Windows XP had firewall disabled by default… for all network interfaces. After they were flooded with complaints they released (I think Service Pack 2 was first) cds with firewall turned on by default. I mean… This is big… By not having the box ticked by default You are supplying spammers with e-mail addys (all they have to do is register and start harvesting) and I am betting my vital organs - You do not want to be associated with thing like this…
Third and last part is about the registration process… I used very complicated password:
K"b^+yd(49f%4,c9h\ywNXZ=qnw\Dm@F*/)jJM+5/BR*+}%oKEz1*wE+DqA&vuT
Yes that’s the actual password that I have used (or at least that’s the password sent to me in the confirmation letter - I never compared it with the password that I have used during registration process). It’s been changed since then and I always use different random passwords for the sites I am registering with so I don’t care if someone sees it. Problem is that Your registration script is somehow changing some of the characters in the password and it allowed me to use it in the registration process BUT it would not let me log in with it.
I had to use different - less complicated password. It’s still very strong BUT some of the characters had to be excluded in the password generating process. I am not sure what’s wrong there but it would be good to give users know that some characters are not allowed in the passphrase. Oh You get the point.
Please do not hate me. I do not meant any offense but it’s like not telling Your best friend that she / he left her / his front door wide open before he / she went abroad for 3 weeks and then act surprise when You realize he / she got robbed and all their valuables are gone… OR like not telling a child to not to play with electric socket and then crying at the funeral. It’s “you could have done something and yet You chose to be a wuss” story. Well I am deciding to tell You about this. Please tighten up Your security policies on the forum folks. You will do what You want and I won’t feel guilty.
Regards.
Andy
P.S. I see that You are filtering the v word. Good one. I like that ;). I also like the fact that You don’t allow to browse user profiles by the not registered folks. Great!