Site password security

Discussion in 'Site Discussion' started by Fallowfox, Jan 29, 2017.

  1. Fallowfox

    Fallowfox T-Tauri

    My firefox web-browser alerts me that passwords entered into this website could be compromised by third parties.


    Could site staff possibly look into this?

    Until then, I think it is advisable that everybody make sure they don't use the same password on this forum anywhere else on the internet. (you shouldn't duplicate passwords anyway)
  2. Alex K

    Alex K Guest

    I got a good password for ya. It's something no one ever even thinks about.

    Your password should be: "Password"
  3. jayhusky

    jayhusky Well-Known Member

    This is because the forum doesn't have HTTPS enforced by default, so all communications on the forum domain are sent via the insecure HTTP protocol. Quite why this wasn't turned on, I'm not sure, but it does function fine.

    However if you change the http part of the protocol to https, the forums will be secured under the HTTPS protocol.

    If you are that worried about your account being hijacked, you can download a HTTPS enforcer (Such as HTTPS anywhere) and it will force the site to use HTTPS, although I would advise to deactivate it for the mainsite and use the "Full Security" mode in the account settings, as there are issues with HTTPS enforcers and FA's system for some unknown reason.

    Below is a screenshot to show the forum HTTPS in action.

    -AlphaLupi and Fallowfox like this.
  4. -AlphaLupi

    -AlphaLupi The Fennec

    To add to this,

    If you even remotely care about your online security, make sure to use a password manager and activate two-factor authentication where possible. Password managers mean you can use incredibly complex, near impossible to crack passwords everywhere while only having to remember a single password (your master password, make sure that badboy is extra secure) and 2FA makes hacking into your account incredibly difficult, if not impossible, as the attacker would need both your account password and physical access to your cell phone/authenticator app.
    Wakboth and jayhusky like this.
  5. jayhusky

    jayhusky Well-Known Member

    Yes, this!.
    To add a small point, if you cannot use 2FA, because the site doesn't support it or whatever, try to use a varied combination of Special characters, alphanumeric and capitals, as a base to work from, however do not use the "hash" symbol or the "at" symbol (they're # and @ respectively), believe it or not, sometimes they cause issues with passwords, it's strange but true.

    Also as a small addition to my original post, here's a link to SSL info for FA, so you can see when it's due to expire and the Cert Authority too.
    Expiry shouldn't be an issue if FA has setup a rolling SSL which auto-renews.
    -AlphaLupi likes this.
  6. Dragoneer

    Dragoneer Administrator Staff Member

    We will be looking into forcing the forums to require HTTPS by default, and I will be following up on that in just a few days (along with some other forum tweaks).

Share This Page