ya, there is no need pretending that passwords are secure because you can't see them on the screen. We have found that that mass majority of password issues were resolved with we stopped the absurd masking of passwords. The majority of the time, the only one it is masking it from is you - which causes problems again and again. So, we decided to be grownups about and blast it onto the screen for people to actually see. The only place it is masked is it is encryted in the cookies we set (which is the only place you need password security).

Don't most sites solve this problem by making the user enter it twice, then automating password recovery?

Anyway, how about the intro emails? I find those more problematic than what's displayed on screen... I guess it comes from being a career sysadmin who has always told users "don't email passwords!" Sure, the chance of getting your password stolen this way is probably small in the grand scheme of life, but just because you live in a safe neighborhood doesn't mean you should leave the keys in the car. :)

welcome to WebmasterWorld, cyber_dog!

in ten years, we have had nearly half a million registrations. Out of that, we have had two people mention the unmasked password. That is pretty good odds.

Soooo you regularly implement your security policies based on user recommendation? How many users have you met that think we should require passwords that are no more than 3 characters and never have to change them? :D

>>based on user recommendation?

Where does it say anything about user recommendation? Did I miss it? I seem to have read that it's only been mentioned by two users. Mentioned.

Based on?

How about based on 20+ years of website administration, including back to Commodore, Trash-80 and BBS days, before some of the guys around here even needed to shave and were still shooting spitballs and pulling girls' pigtails in classrooms when the teacher's back was turned?

How about multiple hundreds of thousands of user registrations over a period of 10+ years, trouble-free and without using smoke and mirrors to give a false sense of security when none is needed.

As a long-time veteran user, let me ask, just to set the record straight, how WebmasterWorld compares with the FBI & Microsoft [google.com], security-wise, and help me out by telling me what the problem is.

>Soooo...

Grrrrrr..

So now that we've formally made our introductions and some of us know what each others' personalities are like, welcome to WebmasterWorld! :)

Hey, no need to get so defensive about it. I just tried to give a constructive criticism; sorry if that's not welcome here.

All the same, to rebut:

1) Age/seniority does not a wise webmaster make.
2) Comparing your systems to those of a government with widely publicized technological shortcomings is not exactly a badge of honor.
3) Times change. The reason internet security is so difficult today is because its early architects did not anticipate its growth and potential vulnerabilities. Telnet was useful once too.
4) People with security training are paranoid about their networks for a reason. Just because you have a false sense of security about your systems doesn't mean they merit it, and just because you can't anticipate an attack doesn't mean it won't happen.
5) Good practice isn't common knowledge (my earlier point). If everyone, or even most people, had the wisdom necessary to run their networks without obtaining advice from third parties, we'd be living in a much different world. Just because only a couple people took the time to point out a shortcoming doesn't make it irrelevant.
6) A good SA is never too proud to take criticism. Your need to immediately flash your credentials and turn this into a pissing contest does not speak highly of your technical skills, and is probably doing you a great disservice.

@Marcia: Your two posts seem completely at odds in terms of attitude... (I posted my reply before seeing the second.) I'm not sure if I read one incorrectly, or if there's some kind of jekyll and hyde thing going on here. At any rate, thanks for the welcome. I'd like to add I did get a very useful response to my Apache query, and I'll likely come back here in the future if need be.

Thanks for the suggestions C_D and welcome to WW. No doubt Brett has taken your observations into consideration. Your concern is appreciated.

>>Your need to immediately flash your credentials

I think she was flashing somebody else's credentials. ;)

Cyber_dog,
it seems that your initial question was answered:

The sign-up form doesn't even mask the password input, and then as if that wasn't enough it's emailed to the user in clear-text?

Brett's response was that these things don't affect security, and that masking merely creates an illusion of security. So it seems that you've been laboring under a webmaster myth. You didn't say whether you agreed or not, so I assume you accept this answer.
Everything from that point on can be safely ignored, since the original point is settled.

@callivert: No, I don't particularly accept it. I work in a fairly crowded office where you can fairly routinely see people typing at their desks, and it wouldn't be impossible to catch passwords over one's shoulder. Not to mention more open places like hotspot cafes and public areas with security cameras. Of course, the window of exposure when typing a password into a registration form is small, so the risk, although real, is minimized.

Email is the bigger issue, imo. First of all, there's cleartext transmission over the wire, and there's absolutely no way for you to guarentee that the recipient's email service will use ssl/tls, regardless of whether or not WW even supports it. Furthermore, email is almost always stored in plain text, so even after it reaches its destiation its very much readable by anyone who may have access to the mail server, either legally or otherwise. Not to mention folks who may gain access to someone's email account; say in a family scenario, or in some unfortunate cases, misuse of a public terminal.

Now, I'm well aware that having ones password to simple web forum compromised is far from the end of the world. There's little value in a forum account. The point I've tried to make is that a site that specializes in providing help to webmasters of any given industry should be leading by example of good practice. If my bank ever left my account passwords out in the open on the internet, they'd be losing themselves a customer right quickly. Good practice is good practice, whether or not you're running a financial institution or a web forum.

I also find the idea of calling common security practices "webmaster myths" very unsettling. I certainly hope no one here would go around telling potential webmasters to forgo security procedures because they deem them unnecessary. There is no such thing as "too much" security.

Lastly, I don't expect to show up out of the blue and have some long standing web community overhaul its code because I make a recommendation. I'm well aware the world doesn't work that way. I'm happy to let this thread end here and now, I just don't appreciate being given the brushoff as though I have no idea what I'm talking about. I've made my point, and unless someone really wants to argue it into the ground, we can just let it be what it is.

[edited by: Cyber_Dog at 1:14 am (utc) on Sep. 3, 2007]

>>Hey, no need to get so defensive about it.
>>Comparing your systems

It isn't my system, and I don't need to defend it; I'm just someone who's been here a long time and doesn't like to see unnecessary FUD shoved down newcomers' throats. But that's not the point.

>>career sysadmin

Yeah, my daughter has spent a few years in sysadmin work - but she's still my kid and always will be. I'm not Brett's mother - he's not my kid and certainly doesn't need me to defend him or the system. You aren't my kid either, but if you were and you delivered a snotty remark like this:

Sooo you regularly implement your security policies based on user recommendation?

If you were under 12 you'd get a good smack and get sent to your room, and if you were a teen you'd get grounded for a month for copping an attitude and having a smart mouth.

Just because you have a false sense of security

That was covered and well refuted in the first response you were given

ya, there is no need pretending that passwords are secure because you can't see them on the screen. We have found that that mass majority of password issues were resolved with we stopped the absurd masking of passwords. The majority of the time, the only one it is masking it from is you...

[edited by: Marcia at 5:30 am (utc) on Sep. 3, 2007]

Security is a trade-off with usability. You could kill a website using best of breed security techniques.

You have to define what you are protecting and how important it is to protect it (the risks) compared to what you loose with security measures.

1. On Webmaster World, what is the liability involved with a stolen user password?
Someone could access the forum as someone else and make posts as someone else. That's it. A user hardly has more rights than a non-user, and user accounts are free, so the incentive for someone to steal a password is low.
Importance of password security:minimal

2. Problems due to security: hidding passwords
User might type a wrong password resulting in an account login that doesn't work. Since this is just a login for free forum access, the user could just give up and look for another forum. = loss of potential users.
Severity: Could be serious given the number of users on this site.
Possible solutions: confirm password field / checkbox to obfuscate the field at the user's choice (simple js to swap a "text" field with a "password" field)

2. Problems due to security: no passwords by emails
Users losing passwords is a daily occurence. How easy it is to recover it determines whether or not they will bother to go through the hassle of restoring their account. A community website would be bleeding users by implementing too harsh security measures.
Severity: Serious

In the case of WebmasterWorld, the potential losses due to stolen passwords are almost nill, but the losses caused by "security best practices" could result in a significantly decreasing audience over time.

Besides hard core posters (daily users who would recover/protect their passwords carefully), there is a huge field of occasionnal users who wouldn't bother if it was in any way difficult to get the password.

A quick look at the WebmasterWorld should give you a fair idea of whether their implementation of security is adequate: Huge volume of posts, a quazillion users, and almost no junk posts. I would say they know what they are doing.

Now, if they were keeping bank details and such, that would be a totally different matter.

>> There is no such thing as "too much" security.

actually there is

Security is based on what you are trying to protect, we require a minimum of personal information, just an email, that is all the information we need about our users. So we already understand that requiring unnecessary information about your users is a bad idea and also, in some places, illegal.

Since I have actually worked with banks and payment companies I know that the comparison between a bank and a forum is nonsensical, they are completely different entities and are bound by very different laws.

The motivation for user accounts to be compromised is small, probably closer to nil. The gain from compromising a user account is also nil, though I can see a case for attempting to harm a reputation but a user who's reputation could be harmed is on the site enough to notice right away and the mods and admins would correct it quickly.

It is a normal practice to send passwords in email, yes it can be intercepted but this is common practice, there are more secure practices for password recovery and initial authentication but none of them are practical or required for an online forum.

as far as clear text on the signup, well, an initial account has nothing attributed to it so there is nothing to harm. As Brett already said security by obfuscation is not security and usually only hinders users.

The risk of password social engineering requests are far greater than any risk of a plain text password.