• ARRSE have partnered with Armadillo Merino to bring you an ARRSE exclusive, generous discount offer on their full price range.
    To keep you warm with the best of Merino gear, visit www.armadillomerino.co.uk and use the code: NEWARRSE40 at the checkout to get 40% off!
    This superb deal has been generously offered to us by Armadillo Merino and is valid until midnight on the the 28th of February.

Site Security

#1
I've noticed that when I enter a wrong user Id while trying to log in, the system says something to the effect of "xxxxx is not a valid user id".

That seems to me to be iffy from a security point of view. Simplistically speaking, that means that 1/2 a crackers work is being done for him by the system.

Can the admins look into that please? A message along the lines of "Wrong Id or password entered, try again" would be great.

:idea:
 

oldbaldy

LE
Moderator
#4
I can't even understand what he is on about.
Oh, I know, I don't make mistakes with my username.
I can remember it.
The altzheimer's must be curing itself.

I think.
 
#6
I agree with scabster, everytime I log in Ive always got a load of PMs from MDN detailing unspeakable things he wants to do to me. I also fear for my security.
 
#7
Its just one of those InfoSec 'facts' that tossers trot out. What he is saying is; yawn; if someone is tring to hack a site, the best thing to do is try to guess a genuine users name then you can you as automated tool in anm attempt to crack the password.

So if you know a company website is administed by John Smith you try all the combinations you can think of Johnsmith, john.smith, jsmith, smithjohn, etc. The theory is that if the response is words to the effect of invalid username it helps you establish that the name is wrong. A respose such as invalid creditials does not make that so easy as you do not know if it is the username or password that you have wrong. Poor boy has not yet heard of John the Ripper.
 
#8
Mmmm... given that ARRSE usernames are in a long list in one of the modules and plastered all over the site, I don't think our elite cracker would need to try too hard to get hold of one.

Therefore I stick to my assumption that it was a windup.
 
#10
western said:
Poor boy has not yet heard of John the Ripper.
Do dicionary based crackers still work? I suppose if you had some OCR software to get around those "type in the characters in the box above" thingys (what are they called) as well as a brute force cracker then it might work, but of all the sites in the world, why would you want to hack this one? To post abusive messages under someone elses login name? No one would notice any difference.
 
#11
arby said:
western said:
Poor boy has not yet heard of John the Ripper.
Do dicionary based crackers still work? I suppose if you had some OCR software to get around those "type in the characters in the box above" thingys (what are they called) as well as a brute force cracker then it might work, but of all the sites in the world, why would you want to hack this one? To post abusive messages under someone elses login name? No one would notice any difference.
As most people are simpletons such as me complex passwords are generally only created if enforcedc by the system. Then you just move on to Rainbow Lists. In reality its really not that difficult.
 
#12
Eh! I forgot about this thread!

TBH, It really did slip my mind that the login can be discerned from...just about anywhere on this site... :oops:

BUT...if one may discern the user name from the forum itself, then is that not an argument for the log in to be one's email instead?

Of course, as pointed out above, who the fuck cares if one logs in using your name and posts shit. I understand a 'Nighttrained' has a propensity to have his account hijacked and he doesn't seem the worse for wear.

In other words, just ignore the preceding! Was just a suggestion innit.
 

Latest Threads