Login/Register is massively dumb

Ok, seriously what system is this site built on? Besides every other link in this site not working, here are
some bugs for you:

  1. Thank you for forcing your password policy down my throat. (15 char, + all forms of special characters).

  2. Thank you for emailing me my password when I did not check the “email me my password” box.

  3. Thank you for storing your passwords in clear text; raising the question as to why you even bothered with such convoluted thing in the first place.

The site Beta is still bring developed, so yes stuff will be broken in places.

The password requirements are strict to help prevent misuse, but instead of messing with password you can use one of the available 3rd party login providers, like Google or FB, or use a special file on your computer as a key.

We’ll fix password being emailed, thanks for the heads up.

HINT: Changing your password through your profile allows you to have a shorter, less restricted password.

I actually really like the site.

Yeah this was one of my major complaints too, absolutely ridiculous. I don’t even remember my own password.

no, what’s ridiculous is that

  • logging in is allowed via anything other than a public key (2 bad mechanisms r allowed: password, and sole third-party site (public key is not even an option)).
  • the e-mail address is an unabdicable dominator in identification.

blowFish: Passwords are not stored in clear text. Are stored with a strong hash (no MD5 or SHA). The password is sent to your email so you decide what to do with it before the system forgets it forever. Those passwords are never stored anywhere as they are input.

The reason for the long length passwords is because passwords under that length are not safe anymore. It is recommended not to use passwords but paraphrases. You can, for example, have a paraphrase like: [ OMG!I’llsoonB@N.Y. ] (18 chars) which is pretty easy to remember but almost impossible to crack with current technology.

I know, the authentication system is not perfect. I didn’t have time to finish it as I wanted it to be.

BTW. I just fixed a bug that was preventing people to register with Google.Sorry for that. Now its working.

WRONG. the password is transmitted through the e-mail system, which is even worse (one doesn’t even need to hack the forum system to acquire the passwords), and usually over an unencrypted connection between e-mail service providers, which is even more worse. it is at least the e-mail system, but generally all eavesdroppers, such as ISPs, that store the unencrypted password. the only partial way out of this would be to send only temporary passwords via e-mail, and require users to change those within 24 hours to something new and secure, which never leaves the forum system and the user’s computer.

COCKSUCKER !!!1!1

Hi DevHC. Yes and No. The passwords are transmitted through the email system but in an encrypted way (using TLS). If you download your email through non-encrypted channels that is something you need to solve.

All the idea bout the “Show password” and the “Email me the password”
checkboxes is that optionally you can write down the password (in case you don’t trust your email provider). However if what blowFish said is true (about the password being sent without checking the option), I would need to fix that.

I think I wasn’t very clear about the lengthy passwords, so I will extend my explanation:

A 8-chars-long password (like: Rw168j3d) can be cracked in few hours . Imagine we allowed 8-chars passwords. Ckit said he can’t even remember his “short” password. If in Ckit’s idea, 8 characters passwords are easier to remember (than a lengthy phrase), it means he usually use more “easy-to-remember” passwords than the example above, like: “goodday8”, which are even faster to crack.
Its also true that many people recycle their passwords (maybe not you). So, if the server gets hacked (which happened just few months ago, as its a shared server), they can get your “universal” password and your email, and have automatically access into your email account. From there, they can access your FB, Twitter, Amazon, Netflix, etc. account and you will blame us.

That is why we are trying to persuade people to use social logins, so their passwords are protected by big companies who have the resources to do so. We don’t have such resources or time to warranty a 100% hacking-safe site. We do what we can.

If people don’t want to use such services, then at least we have to be sure it will be very hard for hackers to get the original passwords. If using a paraphrase is not easy enough, there is the option to use a local file to generate your password. Those files are never sent to the server and it works with google drive, dropbox, and so on, works in PCs or Mobiles. For example, you can draw a granger in paint, or use your favorite mp3, or you can generate a key and use that as your password. You just need to remember which file you used, easier than remember a password or phrase.

@DevHC: Not sure what you mean by “Public Key”. If what you mean is “client certification”, that is not a good alternative. Implementing such mechanism here would just make things (like administration) much more complicated. Please read here why client browsers certificates are not a good alternative. The installation of such certificates is not easy for everyone. There is only one way to easily install such certificates which involves the deprecated html element “keygen”. There is no plan to replace it, which leaves us with a complicated procedure.

Unfortunately I don’t have the time to improve the login/registration system. So if anyone here wants to take over and improve it, I can help.

Who is going to commit hours of time and processing power to hack into somebody’s forum account?

If this was my back account, I would agree with you. I have no personal information or assets tied to this, I really don’t see the need for such security measures.

When I attempt to make a long secure password for my Microsoft account, I get this message “Your password can’t be more than 16 characters long.”

@Ckit: Hackers are not interested in your GrangerHub account. However, your gmail, hotmail, etc account is more useful for them. As I explained, many people recycle their passwords and thus is easy to get access to other accounts or more important information stored in your email account (like credit card info, etc).

I hope Microsoft changed that, otherwise it means they are using 2-way encryption in order to retrieve original passwords, which is not very safe. When using one-way encryption (hashing), password length doesn’t matter. This link can explain it better than me:

1 Like