Jump to content
 

eHattons security

adriank

By adriank,
in Websites

Recommended Posts

rodshaw

rodshaw

Posted
Posted

If you've forgotten your password to a particular website, how on earth are you going to log in ever again if the company concerned can't get at your encrypted password, either to decrypt it and send it to you, or to create another and encrypt it so they can overwrite the old one? All of this will be done programatically, not by one of their staff having a bit of a hack.

Link to post
Share on other sites
Andy Y

Andy Y

Posted
Posted

If you've forgotten your password to a particular website, how on earth are you going to log in ever again if the company concerned can't get at your encrypted password, either to decrypt it and send it to you, or to create another and encrypt it so they can overwrite the old one? All of this will be done programatically, not by one of their staff having a bit of a hack.

 

If you lose/can't remember your RMweb password there is a Lost Password process to go through; enter your username or email address used when registering* and the system will send a link to that email address to a page where you can reset your password.

 

Even I can't access the encrypted passwords but I can, as Admin, change a password for a user if all else fails.*

 

*Occasionally people can't remember what email address they used or access their emails (and there's the occasional one where you hope they kept the box the PC came in).

Link to post
Share on other sites
Ian Abel

Ian Abel

Posted
Posted

An interesting choice of name and first post.

 

 

It is worth re-iterating previously given advice for other readers; do not use the same password for low-level security needs such as social media access as you may for high-level security needs such as banks or other financial transactions. Don't use the same password for ebay and Paypal etc etc.  All common sense so if there's any danger in passwords and RMweb it's down to the user's use of such rather than any site providers' systems.

Have to agree with Andy here, especially re: the second paragraph.

 

Blimey, I can't believe the longevity this thread has managed - seems to me if you are able to get online you have ONE PRIMARY responsibility on your part, and that is to understand the strengths and limitations of any and all security systems you pass through, AND plan accordingly.

If you're too lazy to do anything more than use the same username/password (go on, tell me you use PASSWORD or 123456!!!!) for both arbitrary/casual sites and your online banking/financial needs, you need to take a refresher course in sanity!

Also, you should have SOME measure(s) of virus checking/Malware checking and crap cleaners running routinely on ALL your PCs!

If you don't and given this is this 2015, you're too naïve to be online and someone should wrest your devices from you before you hurt yourself...

 

Due diligence is the key, and no system is 100% immune (see recent high profile cases, especially the hack of Target stores data in the US!!). You simply need to change passwords regularly, check accounts (even if VERY SECURE) routinely for unusual transactions, and for pete's sake don't pick on/blame every vendor/site owner out there for their choice of security or lack thereof.

You, by signing up, decided you can ACCEPT their interface (I know, I KNOW you don't know what lies beneath) and if you're unsure/worried/unable to accept the responsibility of your half of the transaction, simply don't sign up for the services/features, no-one is being forced to use the internet/online services far as I know.

You can STILL call - you know, that phone thing - Hattons if you want to order stuff and their web site worries you. I've done business with them since the mid-80's and am happy with how they operate. I started out phoning them because there was no internet ordering back then, and now do it online, as does I'm sure a large percentage of their customer base, without major issues.

 

As an FYI - I've been involved with systems design and development since '67 and the using the internet since '84 and there are about as many varieties of security out there as there are web sites now - you either have to accept what the service you're using implements, or not.

I for one do NOT want to see the level of security I have to work with daily for secure business systems, such as a phone call BACK to you to a known/registered number before a connection is validated, for something like an online purchase or RMWeb. BUT, that sort of complexity is the only level of security that will provide a more robust transaction, than a simple or moderately complex username/password pair, no matter HOW much it is encrypted, blah, blah...

Link to post
Share on other sites
micklner

micklner

Posted
Posted

As said already , if you don't like their system shop elsewhere.

The retained credit card details are I presume for pre orders. They can then in theory charge your card and send out items on receipt of delivery. Sadly that system doesn't work very well as my last order " couldn't be sent due to wrong/ expired credit card details" that was complete rubbish as card was 100% correct and I haven't ordered from them again.

Link to post
Share on other sites
rodshaw

rodshaw

Posted
Posted

If you lose/can't remember your RMweb password there is a Lost Password process to go through; enter your username or email address used when registering* and the system will send a link to that email address to a page where you can reset your password.

 

Even I can't access the encrypted passwords but I can, as Admin, change a password for a user if all else fails.*

 

*Occasionally people can't remember what email address they used or access their emails (and there's the occasional one where you hope they kept the box the PC came in).

 

That's what I meant - apart from the user, only the program code 'knows' the password in its unencrypted form, and even then only fleetingly when encrypting/decrypting.

Link to post
Share on other sites
Kenton

Kenton

Posted
Posted

 

An interesting choice of name and first post.

 

Apologies Andy, I didn't have the radar on :D (it was becoming a bit of a bash eHattons topic followed by let's bash RMWeb - and I just responded without reading)

 

As far as RMWeb is concerned I have always believed the common method used to "reset" a forgotten password has been to open a new @hotmail, @gmail (others available) account then start again on RMWeb as a new user. :diablo_mini:

 

But I guess that everyone has to post for the first time at least once. (Some might wish .... I had stopped there )

Link to post
Share on other sites
Gerald Henriksen

Gerald Henriksen

Posted
Posted

 

Incidentally, I note that RMWeb, like a lot of other sites, offers to remember your password for you.  To translate, this means that your password together with your username will be stored unencrypted on your own PC.  As your home PC will be less well protected than any half decent commercial web site, then that information will be available to anyone who can get access to your PC - Internet hacker, burglar or visitor.

 

Come on RMWeb - show the rest how to do it.  Remove that dangerous option.  

 

Except RMWeb isn't remembering your password.

 

Your web browser is, and they are being stored using features found in the OS.

 

https://support.google.com/chrome/answer/95606?hl=en

 

All RMWeb offers is to remember your logged in, which isn't the same as storing a password on the local system.

Link to post
Share on other sites
Kenton

Kenton

Posted
Posted

 

All RMWeb offers is to remember your logged in, which isn't the same as storing a password on the local system.

Please read my post above regarding cookie storage of the password. (please examine your own cookies ?)

 

As far as the "Keep logged on" flag is concerned, it would be very, very poor programming practice and design to store this flag in a cookie (user's browser). It is almost certainly stored in a data table on the server associated with the userid. The reason for this is that enables the Admin of a site to effect a forced log out of every user (for example during an upgrade). Though there are certainly other flags that may be involved in such a process.

 

Although this flag could be stored in another cookie (or even the special "session" cookie), it will then be outside the control of the site Admin. The "session" cookie only remains valid until the browser is closed (end-of-session), to be renewed at the very first data transfer on a new session. So unless it was also stored on the server (duplication error) it would change to "unknown" state every time you restart a browser.

 

The only way the user has to effect a change to "keep logged on" is to sign out and sign back in again, changing the check box value and re-signing on.

 

Systems such as this needs to know at any point in time who is logged on AND if they open additional tabs. A whole host of user checks happen at sign in to authorise a user, it is not a simple task.

Link to post
Share on other sites
Gerald Henriksen

Gerald Henriksen

Posted
Posted

 Please read my post above regarding cookie storage of the password. (please examine your own cookies ?)

 

 

Again, no password is stored, only the hash for the password is stored in the cookie for RMWeb

 

It is the web browsers, using features of the OS, that are storing login ids and passwords.

Link to post
Share on other sites
Kenton

Kenton

Posted
Posted

 

Well, there's one with the name 'cookiemonster' and the value 'NOM+NOM+NOM'

 

I'm sure it is vital to the operation of RMweb

That's the sound of it crunching cookies ;)

As I have said many-a-time the software that is used for RMWeb is of poor practice and very inconsistent (but that is not Warner's, Andy's or RMWeb in generals' fault - just the dislocated programmers at IP Board. One encrypted cookie is enough to hold all that is required. Any name that it is called is irrelevant. It should manage redundant "empty" cookies at login and delete them. Besides "NOM+NOM+NOM" may have some obscure meaning ;) ;)

Link to post
Share on other sites
Kenton

Kenton

Posted
Posted

 

It is the web browsers, using features of the OS, that are storing login ids and passwords.

Ah, the OPTIONAL "do you want *** to remember your password for this site" Popup.

(the option that is removed from my system, but commonly used by most folk)

Odd, is it not, that I can still log on with this OS function disabled? As I said, browsers and the forms that use it are not secure as someone using the PC can easily visualise the contents. Whether an ecrypted actual password or a "hash code" to encode the password is stored in the cookie is neither relevant. The imporatant thing is that it is not in plain text. Either way the server doesn't know one client from another until they present some for of credentials. (name is in the public domain, my password isn't) You cannot trust IP addresses as they can be forged.

Link to post
Share on other sites
Talltim

Talltim

Posted
Posted

That's what I meant - apart from the user, only the program code 'knows' the password in its unencrypted form, and even then only fleetingly when encrypting/decrypting.

The code doesn't decrypt it, it can't be decrypted. What it does is encrypt your password attempt and if the encrypted version of it matches the encrypted version saved then it is the correct password

As Gerald already said

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...