So you went over to someones house/work and sat down on their computer while typing in a website address it showed the full URL that contained an encrypted/non-encrypted password?

The account they are trying to get into - you should change the password. If you think they are a 'hacker' then it may be wise to block their IP address (which could be a proxy of some sort)

EliteWeb

Thanks Eliteweb,

<<<So you went over to someones house/work and sat down on their computer while typing in a website address it
showed the full URL that contained an encrypted/non-encrypted password? >>

I have never been to the netherlands :)

I will change the password.

Thanks

Dazz

p.s Can they decrypt it ?

Another thing you can try is not passing the password, but dumping a session id into a db then only passing that session id. This way, guessing the session id would be extremely difficult and would not give an indication of the users password.

noSanity

nosanity,

Is that something the host would have to do ?

or is it something I can do?

dazz

<added> I think I should also mention that I always log in to the domain on a secure server <added>

You would have to change some of the programming to the program if it relys on it being passed along, but session ids are the best way to try it.

How do you know they tried logging in with the wrong passwords? Occassionaly I have gone to PAY sites and just typed in a fake login and password.

=-) unless the person gains access into your computer or you have a hole open somewhere or there are passwords stored in your html by default being passed along i think you are alright - go for it try to change the passwd.

<<How do you know they tried logging in with the wrong passwords?

I receive an email with their IP address and the password they typed.

Dazz

Does it require both a login and password or just a password. How many people know the login and password. What type of site? stickie url to me.

Obviously those pages are dynamic to have the password sent along in a query string. So if they are dynamic, then you would need to alter your script or cgi to take use of such ideas as tracking the session id rather than a password. Passwords (encrypted or not) should only be transmitted once on any site. This ensures a higher level of security. This is something you (the developer) can accomplish without too much hassle as long as you know the "language" the script or cgi was written in.

noSanity

nosanity,

I don't control the pages it is my host, do you think I should tell them to sort their act out ?

I am having problems with them at the moment and this is just the icing on the cake.

Thanks

Dazz

OK chances are the guy say your site did a little research on it found out where it was registered and try to log into the admin control panel. Change your password if it is the same as any of your other passwords add numbers and letters to it. Before going to another URL make sure you goto one of your sites first so the referal logs of the other sites dont have the URL of you being logged into the control panel.

EliteWeb

Well, I personally would blow a gasket at these people for not using KNOWN security techniques... but then again I am a security nutcase. :-)

noSanity

(edited by: nosanity at 6:28 pm (utc) on Jan. 24, 2002)

Thanks for checking it out for me, I think i may have done that at some point (gone straight from my login to another website) I didn't realise that this showed in the logs ?? I thought it was only if you clicked on a link that it shows :).
Obviously not:)

So is there site secure ??

Thanks to the both of you for your help in this.

Dazz

Just use the log out feature on the site. (:

will do, what about when I open a new browser window does this show anything ?

Dazz

<added> do you think it is possible that this person has seen it in his logs and click on it to see what it is ??

(edited by: diddlydazz at 6:30 pm (utc) on Jan. 24, 2002)

Does the new browser window still have the URL of you logged in locate in the address bar? If it doesnt then it will not. Change your password and you should be fine (:

Thanks :)

Dazz

So while we are on this subject which browser is more secure Netscape 4.7 or IE 5.5

?

Dazz

Both follow the same standards really its all up to your preferences. But tell me the last time you heard of a security issue with NS? Because I have heard of plenty for IE causing me to keep updating - I think everytime I update it isnt due to a security issue hotfix its to install more **** on my computer.

I use them both.

On a regular basis, I use IE because there aren't many sites that that I visit that are properly formatted to handle both IE and NS, but for development work, all my sites work in NS 4.7 + 6.2, IE 5.5 + IE 6, Opera 5 + 6. I must thank the people I work with for showing me how to ensure all the previous browsers can be handled the same though. :)

noSanity

<added>Although, for any secure site, I prefer NS because there have been way too many problems with IE, and I just trust NS more.</added>

I always use netscape unless it is a site that is not compatible, I had the impression that Netscape was more secure aswell

Thanks for the feedback

Dazz