Log In | Register
Skip to main content
Topic: Any issues with no logging out? (split from Re: Error message) (Read 682 times) previous topic - next topic - Topic derived from Error message
0 Members and 1 Guest are viewing this topic.
Any issues with no logging out? (split from Re: Error message)
Here's a question for Steve and Michelle, when they are well settled and rested.
Is there a security risk in not logging out?
I never log out since I may visit the site several times in a day. Same as when we were at the Yahoo site.
I usually have a window with the LDOF available, when viewing other sites or doing other activities, so it's alway kinda open, being just a click away. 
Can't say I log out of many sites except those which have my personal records involved, such as a bank, merchant, utility or doctor.

Is this wise?
Any other security items that we should be aware of?

Larry
Larry
2003 23.5' Front Lounge, since new.  Previously 1983 22' Front Lounge.
Tow vehicles  2020 Jeep Wrangler Rubicon, 2001 Jeep Cherokee
Photo Collection: Lazy Daze
Re: Any issues with no logging out? (split from Re: Error message)
Reply #1
Quote from: Larry Wade  - 
Here's a question for Steve and Michelle, when they are well settled and rested.
Is there a security risk in not logging out?

Only if someone else could access your computer when you weren't using it or if you're using a public computer.  We stay logged in "forever" ourselves (when on laptops/computers) and have done this on Foreforums for years.  When logging in from our phones we opt for 1 or 2 hours.

Quote from: Larry Wade  - 

Any other security items that we should be aware of?

Probably the usual suspects that apply to all online accounts.  Don't use your e-mail address as your screen name/ID since in some cases guests could see that and "harvest" it.  Don't use an obvious password (believe it or not, a while back we researched it and the most common password was, you guessed it, "password".  Other common ones that shouldn't ever be used are pets' names, name of your spouse, etc.

Michelle
Re: Any issues with no logging out? (split from Re: Error message)
Reply #2
Quote from: Larry Wade  - 
Is there a security risk in not logging out?

Since Lazy Daze Owners' Forum doesn't use TLS (HHTPS), every time you log in you send your password in clear, so it's probably slightly safer to stay logged in.

The main thing is: don't use the same password for LDOF as for sites that need higher security.

(This is not any kind of criticism of LDOF for not using TLS.  It's a perfectly reasonable choice for this kind of site.)

Howard
You'll Need a Newer Browser to See This Page
Re: Any issues with no logging out? (split from Re: Error message)
Reply #3
Quote from: Michelle C  - 

Probably the usual suspects that apply to all online accounts.  Don't use your e-mail address as your screen name/ID since in some cases guests could see that and "harvest" it.  Don't use an obvious password (believe it or not, a while back we researched it and the most common password was, you guessed it, "password".  Other common ones that shouldn't ever be used are pets' names, name of your spouse, etc.

Michelle

My concern is not someone accessing my computer or getting my individual password but someone hacking your server with all our names and passwords.  I may be assuming -- if I'm incorrect then just toss this whole email in the trash. 
 If you can do a study on the user's names  passwords that means to me that the user names passwords are not stored in a secure manner.  May I suggest applying some sort of salted hashing algorithm to the password file.   If that is done then if the password file get out into the 'wild' then nobody will be able to 'guess' the passwords and users names. 
personal fine art photo stuff
TF Mack | Flickr
It's all good .......
2014 Twin King
Re: Any issues with no logging out? (split from Re: Error message)
Reply #4
Quote from: G Plam  - 

 If you can do a study on the user's names  passwords that means to me that the user names passwords are not stored in a secure manner.  

I guess I wasn't clear - sorry about that.  It wasn't a study of passwords on our forums, this was a study done by someone else out there "on the Interwebs" regarding password security in general.

Passwords on the forum are encrypted; we cannot see them.  Steve has significant security features on the forum.
Re: Any issues with no logging out? (split from Re: Error message)
Reply #5
Thanks, Michelle.
That answers my questions.

Larry
Larry
2003 23.5' Front Lounge, since new.  Previously 1983 22' Front Lounge.
Tow vehicles  2020 Jeep Wrangler Rubicon, 2001 Jeep Cherokee
Photo Collection: Lazy Daze
Re: Any issues with no logging out? (split from Re: Error message)
Reply #6
We do not actually store users' passwords.  Instead, we transform passwords into password hashes with cryptographic (one-way) hash functions, and we store those hashes.  For this site that means we use blowfish as our cryptographic function and use salting and stretching, both are important.

When a user authenticates to the site with a username and a password, we look up auxiliary information, hash type, salt, and the iteration count (stretching) and then for the provided username, transform the provided password into a hash, and compare the hash against the one stored.

Should a database be 'stolen', the stretching simply makes the computation time required to generate hash 'guesses', much much slower.  However all of that does not exempt the user from using a good password.  If you use "password" as you password, it does not matter how its hashed, it will be reversed very quickly.   Attacks on stolen db are done various ways, but the first pass would be with some rainbow tables of common passwords, hashed against a given algorithm, and then compared.  Use a common password and you are vulnerable.

Interestingly the upper, lower, number and some extra character password approach ... seems good until you add  in human nature and realize that those type of passwords are hard for people to remember and easy for computers to try.  People will do basic and predictable number <-> letter substitutions, like 0 for o etc ... rainbow tables love this as well.  A really secure password is, interestingly enough, phrases like myfavoritecolorisbluecheese .. (see attachment)

Also just to note, the sties various password areas are also protected with session id's, browser id's, one time tokens, and speed / attempt gates, all of which prevent basic "probing" attacks.  We try to make this all transparent, but an occasional Session Timeout, or Token Error will appear, it just means something was old and stale, like some of my underwear (added to see if anyone is reading!)

Onto login "forever" ... its never forever but it can be a long time.  When you login the site saves a cookie on your computer, it contains a hashed (sha256) version of your blowfish hash (see the first paragraph) plus a salt (a unique and random value added to your hash). 

When you logout, the salt on the site changes which invalidates the value in the cookie, so even if a cookie was "stolen", like with a MITM attack, once you logout the cookie is broken.  Trying to reverse a stolen cookie is not going to gain much, if anything.  You don't want to use forever (as already noted) if its not your computer, or some public computer, in those cases always logout.

Although the site does not use https/ssl, when using the login form, the password is only sent in "clear text" under very specific instances, 99% of the time its sent via a sha256 encryption which prevents anyone who may be "sniffing the line" from seeing anything useful.  Of course the same warning remains, if you use a simple password, its simple to break. 

We don't have https implemented since it complicates the showing of data from non-https sites, for example embedding a video or image from a http site on a https site is problematic.  There are ways around that but its once of those grey areas in terms of being the proper thing to do.   Free, reputable, and reliable https services are becoming more common, so over the next couple of years you will be seeing a continued increased in its use.   Of course there have been successful hacks against https such as breach, crime, beast and Lucky 13, so nothing is perfect.

Hope this added information is useful to some of you.
Re: Any issues with no logging out? (split from Re: Error message)
Reply #7
Thanks for the detailed explanation, Steve. How I wish Escapees would hire you! They badly need a Corporate Security Officer, as they appear to be utterly clueless about security. They tell members to send credit card information and passwords via (unsecured) emails; their membership-renewal page invites you to do the same via unencrypted plain-vanilla http... the list goes on and on. When queried about this sorry state of affairs, their response--right up to top management--boils down to "Oh, we've always done it that way, and nobody's complained. Members don't want to be bothered typing 'https'." AARRGGHHH!
Andy Baird
2021 Ford Ranger towing 2019 Airstream 19CB
Previously: 1985 LD Twin/King "Gertie"; 2003 LD Midbath "Skylark"
Re: Any issues with no logging out? (split from Re: Error message)
Reply #8
Andy I had the same experience with Escapees.  I ran an external web site security check program on their 'new update' site.  It fail in so many ways I was shocked.    I call them hoping to offer some insight and help as an external user.  I was once a chief IT security person in one of the largest international  engineering firms in the world.    I got the feeling they really didn't understand the basic IT security.  I admit I a tad on the paranoid side IT wise.  I do like the Escapees club but I never do any buying or exchanging personal information on their web site.  I, sadly, admit they may be keeping my personal information on an insecure manner.    One can only be so tin hatty and live a peaceful life in this new IT connected world. 
personal fine art photo stuff
TF Mack | Flickr
It's all good .......
2014 Twin King