Site Security

Discussion in 'ARRSE: Site Issues' started by Scabster_Mooch, Dec 13, 2007.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. I've noticed that when I enter a wrong user Id while trying to log in, the system says something to the effect of "xxxxx is not a valid user id".

    That seems to me to be iffy from a security point of view. Simplistically speaking, that means that 1/2 a crackers work is being done for him by the system.

    Can the admins look into that please? A message along the lines of "Wrong Id or password entered, try again" would be great.

  2. Good CO

    Good CO LE Admin

    Poor indeed. Show again windup.
  3. Information Security fundamentalist. Don't worry he will get over it in about thirty years.
  4. oldbaldy

    oldbaldy LE Moderator Good Egg (charities)
    1. Battlefield Tours

    I can't even understand what he is on about.
    Oh, I know, I don't make mistakes with my username.
    I can remember it.
    The altzheimer's must be curing itself.

    I think.
  5. The Site Security is excellent ,It as improved tremendously over the last couple of years well done Admin
  6. I agree with scabster, everytime I log in Ive always got a load of PMs from MDN detailing unspeakable things he wants to do to me. I also fear for my security.
  7. Its just one of those InfoSec 'facts' that tossers trot out. What he is saying is; yawn; if someone is tring to hack a site, the best thing to do is try to guess a genuine users name then you can you as automated tool in anm attempt to crack the password.

    So if you know a company website is administed by John Smith you try all the combinations you can think of Johnsmith, john.smith, jsmith, smithjohn, etc. The theory is that if the response is words to the effect of invalid username it helps you establish that the name is wrong. A respose such as invalid creditials does not make that so easy as you do not know if it is the username or password that you have wrong. Poor boy has not yet heard of John the Ripper.
  8. Good CO

    Good CO LE Admin

    Mmmm... given that ARRSE usernames are in a long list in one of the modules and plastered all over the site, I don't think our elite cracker would need to try too hard to get hold of one.

    Therefore I stick to my assumption that it was a windup.
  9. You see the flaw in the argument then? Althogh I think he was genuine.....dumb but genuine.
  10. Do dicionary based crackers still work? I suppose if you had some OCR software to get around those "type in the characters in the box above" thingys (what are they called) as well as a brute force cracker then it might work, but of all the sites in the world, why would you want to hack this one? To post abusive messages under someone elses login name? No one would notice any difference.
  11. As most people are simpletons such as me complex passwords are generally only created if enforcedc by the system. Then you just move on to Rainbow Lists. In reality its really not that difficult.
  12. Eh! I forgot about this thread!

    TBH, It really did slip my mind that the login can be discerned from...just about anywhere on this site... :oops:

    BUT...if one may discern the user name from the forum itself, then is that not an argument for the log in to be one's email instead?

    Of course, as pointed out above, who the fuck cares if one logs in using your name and posts shit. I understand a 'Nighttrained' has a propensity to have his account hijacked and he doesn't seem the worse for wear.

    In other words, just ignore the preceding! Was just a suggestion innit.
  13. innit??
  14. I think he's caught the Chav virus, comes from using inadequate security. :lol:
  15. And allowing siblings to breed with each other.