Jump to content

Secure Login For "my Account"


daddyo58

Recommended Posts

I've been a member now for only a week or so, however I have some

concerns regarding the login for users when accessing the "

my account" link.

 

Since the users profile may contain some personal information, I would

like to se the developers utilize a SSL layer and create a secure login

for your users. I really makes no sense for users to broadcast their

userID and Passwords to the entire internet world when logging in.

This is certainly a vulnerability which, with a little work, could be

eliminated completely.

 

You've got a great web site, so keep up the gret work (and make it

secure!!)

 

Sincerely,

 

Dave Hlatko

daddyo58 (the Briar Patch Gang)

Link to comment

I'm not sure what you are worried about giving away. In my profile the only thing I don't want given out is my home coords. Everything else is available to you just by clicking on my profile link. If I was really concerned about the home coords I could move them and still have the distance to nearest caches pretty close to correct.

 

Maybe I am missing something though.

Link to comment

well looking from a Security stand point

 

what can be found on your Account Details

 

people with your username and password

 

can get your name and your address

 

and if you use the same passwords on all web sites that is a problem

look at pay-pal if you use your email address that you use on here and the same password

 

just look at what they could get...

Link to comment
I have always thought geocaching.com an unsecure site and therefore treated information on the accout details as such.

 

Something else that would be nice would be load balencing.

What information?

 

Your hometown? Cache finds/hides? email addy?

 

Someone help me understand what information you are afraid of being exposed to security threats.

Link to comment
I have the little 'Remember me" thing, so I never actually have to type anything. I'm always logged in, and only access GC from this computer.

 

WS:"Online bank"..lol. I have your money.

If you have another 50 cents in your ashtray you can go to McDonalds for lunch on me. Of course you will have to order from the dollar menu, :ph34r:

Link to comment

Ther'es been a lot of pooh-poohing of this.

 

What if you're on a laptop with a public access wireless connection as those are almost never encrypted? This means your login and password are flowing in plaintext through the air, free to be snooped. I could also do the same with a wire tap or via subversion at your ISP.

 

Once I'm logged in as you, I can deleted all your finds, email everyone (as you, of course) telling them exactly what I (you) think of them, submit clearly forged logs on multiple continents on the same day, and generally cause lots of trouble.

 

Granted, this isn't the most horrible thing ever (hey, it's only your reputation, not your money :-) but it's easy to fix and probably worth doing. Passwords flowing in cleartext over the net these days are a Bad Idea. But this has been brought up before...

Link to comment

I agree, that while it may be a good idea, it certainly wouldn't be very high on my to do list.

There are a number of reasons for this:

1. Has ANYONE ever had this actually be a problem? If this is meant to be an attack against a specific person, then it really seems to me like you'd likely have to have a lot of luck to specifically get said access. I mean lets see, in the wireless situation, you'd have to be in range of the person you're trying to attack physically (so you're going to follow them around all day in hopes that they log on to an unsecured server?). The wiretap at your ISP is even more far-fetched.

2. If this is meant to be a general attack on gc.com customers, then it seems to me that other methods, like maybe a phishing scam that puts a keylogger on your computer would be far more effective in divulging username/password pairs than any attack on the actual link.

3. Its a whole lot of work to go through for very little benefit from the attacker's standpoint. You (the attacked) have only lost face in so much as you allowed yourself to be fooled (provided you're reasonably honest to begin with, I don' t think anyone is going to be fooled in to thinking it was you).

 

Its not that it wouldn't be good, but there are definite reasons why it shouldn't be a priority.

Link to comment

I like the wiretap scenario. It makes me laugh.

 

The constabulary thinks I'm a bad boy, so they get a wiretap. In the course of their activities, they discover my geocaching password. In an attempt to make me tip my hand, they delete all my finds! Did I miss this on Law & Order?

 

:anicute::blink::blink:

Edited by sbell111
Link to comment
email everyone (as you, of course) telling them exactly what I (you) think of them

I think that you're a long winded......... Oh, wait. This wasn't about the length of the icebreaker game at the meeting? (Note that I'm kidding. I actually enjoyed that)

 

 

Seriously, though.. Seeing as though the password on the site isn't visible when you're in the account, it's not like someone could steal it even if they wanted to.

Link to comment

The pooh-poohing continues. The point is that the way this site does login is across a cleartext (non-secure) connection; anyone watching that connection *can* see your password. Cable modems are frequently (mis)configured so that you can see your neighbours network traffic and hotels are _usually_ configured as a shared cloud.

 

Any serious spook would have better (i.e. more profitable) things to do with his or her time. A bored teenager with a laptop at Starbucks or in his hotel room is way more likely to be entertained by vandalizing your account even if there isn't money at stake - they'll do it because it's there.

 

Right, Fly46, your password isn't visible on the site, but your password to this site _is_ visible as it's flowing across a wireless connection or across your cable modem, and the tools for doing this are widely available. Once I'm logged in as you, I have the option of just being you when I want to be or I can change your password and your email address which means I can get in as you and you can't.

 

This site has had at least one case where passwords have been hijacked and the accounts abused - the trail of abuse (not the abuser) involved a couple of cachers in our area.

Link to comment
Right,  Fly46, your password isn't visible on the site, but  your password to this site _is_ visible as it's flowing across a wireless connection or across your cable modem, and the tools for doing this are widely available. 

 

Was wondering, is your password (or rather information that would be required to fake being you) transmitted if you've got a logon cookie stored?

 

Further, if you're the kind of person that is a bit concerned about security over wireless, you'd do far better to encrypt all of your data through some kind of tunnel to a remote server at a trusted location, and work through it that way. (still not saying that it isn't a good idea to have your logon stuff protected anyways, but at least this sidesteps this issue.)

 

Once I'm logged in as you, I have the option of just being you when I want to be or I can change your password and your email address which means I can get in as you and you can't.

 

Ummm, are you sure you can change that information without your password? I thought gc.com required you to reconfirm your password before changing any of that stuff (been a while though since I've been in to check it).

 

This site has had at least one case where passwords have been hijacked and the accounts abused - the trail of abuse (not the abuser) involved a couple of cachers in our area.

 

I stand corrected. Was this a result of their password being divulged in a manner that would have been prevented by the measures we're talking about?

 

I would imagine a social engineering attack would probably work better for this kind of thing...

Link to comment
I stand corrected. Was this a result of their password being divulged in a manner that would have been prevented by the measures we're talking about?

I am not aware of a password being grabbed using a sniffer, but I am aware of people leaving their computers unattended which allowed someone else access to their account. This, of course, wouldn't be resolved by any security protocols.

 

I haven't seen much of a need for it but if it does get abused in the future we may move in that direction.

Link to comment

If the cookie contains enough information to substitute for a login, if I can snoop your cookie, I could substitute it for a login, right?

 

Should security really be left to "the kind of person that is a bit concerned about security" and ignored for the rest? You really think than Aunt Tilly using her cable modem (which is a shared medium for her neighbourhood) is using secure proxy servers?

 

I do think you're correct that on this site, you have to retype the password and not merely cash in a cookie. (It does get a lot of the security basics correct.) Which means I just have to steal your cookie, log you out, wait for you to log in again and capture that just like I captured your cookie. After all, did you really know when you were going to have to log in next?

 

I don't recall the details of the account hijacking. It's possible (probable even) that it was done by non-technological means. But it gave someone some joy to fake scores of logs and emails for a while until several of us placers started comparing notes and logbooks and asking questions. Our original mails to the "finder" were commandeered by the faker and not read by the real account holder.

 

Was there any monetary damage to the account holder? I doubt it. If this account ever logs a find in this area again, you can be darned sure it'll be scrutinzed.

Link to comment
Should security really be left to "the kind of person that is a bit concerned about security" and ignored for the rest? You really think than Aunt Tilly using her cable modem (which is a shared medium for her neighbourhood) is using secure proxy servers?

The question really is should Aunt Tilly care? I say she probably doesn't have anything to worry about unless she frequently uses her wireless laptop in the neighborhood Starbucks (which by itself prescribes a degree of geekdom that I don't think you're willing to ascribe to Aunt Tilly).

I find it very unlikely that Aunt Tilly has anything to worry about from the point of view of her connection to gc.com being secure or not (at least for the time being).

 

In fact I find it very unlikely that anyone will be paying close enough attention to data going in and out of your computer to actually notice that you're doing anything more than reading webpages when you're visiting gc.com.

Again, its not a bad idea (I don't think that anyone has said that it *shouldn't* be secure) its only a matter of how much priority you want to put on it.

Link to comment

OK, Aunt Tillie doesn't have a laptop and can't afford starbucks. She has a cable modem. Data flowing over her cable modem can be seen by everyone within a few blocks of her; no special equipment or wiretaps needed. The neighbourhood teens are camped on the wire looking for anything they can see.

 

Aunt Tillie isn't targeted for mischief and while it's fun to assume conscious malice of a team of organized crackers; hers is just the first stream of bytes with "login" and "passwords" flowing across the wire that the kids find.

 

Even Aunt Tillie knows to not type personal information into her web browser thingy unless she sees the little padlock in the corner.

 

(Of course, except when there's no option to do this which conditions Aunt Tille to ignore the little padlock...)

Link to comment

Yeah, I admit (and have never denied) that its a good idea. It may be possible, it may even be easy, but from all accounts it doesn't seem to be a problem, and hence not a huge priority.

 

I guess part of my problem is that I'm not really 100% sure how much effort it would take on Groundspeak's part to run the login on a secure server. Are we talking Hours of work? Days? Weeks? Is it really more of a priority than other things? Yes security is important, but I don't think it should be seen as an overiding concern.

Link to comment

I try to not to tell someone else how easy their job should be. (I don't like it when people do it to me, so I try to not do it to others.) Most web services/toolkit thingies these days make it pretty easy. As much fun as it can be to make fun of Microsoft security pactices, asp.net and IIS really aren't totally stuck in the 80's - it's not like this isn't a solved problem in the industry.

 

I'm also sure that the House of the Frog - like many of us - have many of those 'should be easy' projects that just don't make it to the top of the TODO list. That's OK.

 

I guess my goal here wasn't even necessarily to hard-sell that it gets done as much as it was to point out that there are opportunities for abuse even when money isn't involved. If I've gotten Aunt Tillie to pay more attention to that little lockbox thing and think about how even "simple" accounts can be abused, great.

 

(And if I have the locals in this thread wrapping their computers in tinfoil or be on the lookout for the repo man on the shiny new white jeep that was titled to her during that long-winded intro, it's a double success. :-)

Link to comment

It is possible for someone to sniff your password when logging in to a non-secure site. However the probability of it happening is very low. It is easier to guess most passwords than to sniff for it beacause most passwords are poorly chosen. All the encryption in world doesn't matter if are using a weak password.

 

If are really worried about someone hijacking your geocaching account you should strengthen your password. Don't use words that are found in the dictionary and stay away from common proper nouns too. Use both upper and lowercase letter, numbers, and at least one special character (!@#$%^&*).

 

So how do you do that and still remember your password? Start with a word you can remember like, geocaching. Change some letters to upper case letters, GeoCachinG. Then change some letters to numbers, Ge0C4chinG. Now add special characters, Ge0C4ch!nG. Now you have an easy to remeber but hard to guess password.

Link to comment
Ge0C4ch!nG

Now I know your password....

 

now for my trick...

 

I pick something simple, say, 'geocaching'

 

ill replace a letter or 2 with numbers... 'g3oc4ching'

 

now I use my OTHER keyboard layout(the keys think they are in different spots) and it turns into this... 'u3si4ijglu'

 

a simple word, I still type a simple word, it comes out looking like crap.

Link to comment
Ge0C4ch!nG

Now I know your password....

 

:):rolleyes:

 

now for my trick...

 

I pick something simple, say, 'geocaching'

 

ill replace a letter or 2 with numbers... 'g3oc4ching'

 

now I use my OTHER keyboard layout(the keys think they are in different spots) and it turns into this... 'u3si4ijglu'

 

a simple word, I still type a simple word, it comes out looking like crap.

 

What about the special characters? :lol:

Link to comment

Many thanks for bringing this to our attention. Fortunately i use separate passwords and read this forum.

Every other site i log onto uses a secure connection.

I would of made the assumption that with over 177930 active caches in 214 countries and 21625 active account holders the sign in would be secure. If even 1% of these people use the same password for mutiple sites this is 1% exposed to this risk.

This risk whether real or imagined (and we allready have one example above) is still there if some unscrupulous person turns there attention towards this database of 21,625 email adresses and passwords.

Link to comment
Many thanks for bringing this to our attention. Fortunately i use separate passwords and read this forum.

Every other site i log onto uses a secure connection.

I would of made the assumption that with over 177930 active caches in 214 countries and 21625 active account holders the sign in would be secure. If even 1% of these people use the same password for mutiple sites this is 1% exposed to this risk.

This risk whether real or imagined (and we allready have one example above) is still there if some unscrupulous person turns there attention towards this database of 21,625 email adresses and passwords.

The reason to use a different password at different web sites to reduce the chance that a compromised password from one site can be used at another. This too is something that is unlikely to happen. First someone has to get your password. Sniffing is very unlikely. If the database of passwords is compromised, most sites store the passwords in encrypted form that would take, figuratively speaking, forever and day to decrypt. It is much easier try and find someone with a weak password. Even if someone were to find the password for Aunt Tillie on one site doesn't mean Aunt Tillie uses the same username on any another site. Also trying to figure out what other sites Aunt Tillie uses without knowing anything about her is near to impossible.

 

In my experience very few sites, offering services simular to geocaching.com, use a secure connection or even use a secure login form. My bank uses a secure connection from the moment I log in to the moment I log out, for obvious reasons. My online email account allows a secure login. But, you must make an effort yo use it. The default is non-secure login. Then once you login it goes unsecure for the rest of the session. Of the many sites that I surf those are the only two I can think of, off the top of my head, that use a secure connection or login form.

 

Lastly, your guestimate of 1%, IMHO, is a very high number. Unless the sniffing was happening at the business that geocaching.com gets it's internet connection from then that percentage is much, much less that 1%. Like Jeremy alluded to in his post. Your biggest threat is from leaving the browser window opened, even if you have logged out and having someone, usually that knows you, guess your password. The two things you should do to make your account more secure to use a password that is difficult to guess and close the browser window every time after you finish surfing, especially at public terminals.

Link to comment

If I read his post correctly he was saying that if only 1% of users use the same password here as elsewhere, which I don't think is a particularly high number. I do not agree though this is really something to be overly concerned about.

Again though whether or not I think it should be done is something that at least for me is going to be dictated by the difficulty in doing it. Is it just 'flick the switch' issue, and then it goes through a secure link? If so, then by all means go for it. But if its going to take any significant amount of time to work on, then I really don't care.

Good point with the username thing, I personally don't use the name ibycus anywhere else (at least no where important), and most banks give you a login ID to use, so it is unlikely that your gc.com ID matches any really important stuff.

 

But yes, it is important, but I think it is somewhat like a plumber fixing a dripping tap when the homeowner has left the water running in the sink around the corner. Yes the dripping tap is something the plumber can do something about, but in the scheme of things it isn't going to do them a whole lot of good.

Link to comment

I can't HELP myself - I've got to jump in on this one.

 

Those of you who are dismissing the concept of a secure interface are definitely missing the point. Robert has done a GOOD job of trying to educate and raise awareness - while we certainly want to understand and quantify the risks when designing and implementing appropriate security controls - the responses I've seen from the community are actually pretty surprising.

 

As a security professional by trade, this has bothered me since my very first login to gc.com, as well. I submitted feedback to that effect, and received no response. I didn't take the extra step to start a thread here in the forums - though I wish I had.

 

Robert highlighted some pretty significant "risks" with clear-text passwords. While you may feel that you keep no 'sensitive' information on gc.com - seriously, how would you feel if you logged in tomorrow to discover you had "zero finds", and all your hides had been deleted? Sure, MAYBE you've got all that information stored in your own personal offline database, or GSAK, or an Excel spreadsheet... how much fun will you have typing it all back in? Explaining to all those other users why THEIR finds, on your caches, were deleted?

 

Here's the catch: Implementing SSL security couldn't be easier. It has NO usability impact to you, the end user. Jeremy coughs up $299 for a Verisign certificate (that's only 10 subscriptions) - maybe more if he's actually doing load balancing across multiple web servers, without centralizing the SSL termination point. This is transparent to you, the user (heck, he can even do a redirect from the insecure login page to the secure one, so you don't even have to remember the "S" in https), or even support both (ala yahoo mail, etc), if there are those of you who truly don't care.

 

No wonder identity theft, fraud, and phishing scams run so rampant, with prevailing attitudes like I've seen in this thread.

 

Personally - I strongly encourage Jeremy and team Groundspeak to step up and offer us a secure login mechanism. But that's just my opinion - your mileage may (obviously does ;-) vary...

Link to comment

This thread makes me laugh still.

 

Why is anyone so worried about GC.com?

 

I don't use this password at other places.

 

I don't have my CC/bank/paypal accounts tied in here.

 

My SS# is not part of my login.

 

I don't care if someone deletes my finds and emails every damned GC member from my account. I will make another.

 

You DO need your password to change account/profile settings.

 

First, what % of people do NOT use the login cookie. Then, what percentage use a laptop, unsecured, in a public place, to login to GC.com. Then imagine what OTHER information more interesting there would be to steal from said person using laptop.

 

I just fail to see this as a serious security threat to anyone, besides maybe some social status on this board.

 

If someone is going to go throug all this trouble just for a GC.com account, and to what, delete my finds? I can't imagine someone sitting around doing that when there's so many better and easier things to hack.

Link to comment
<snip>

Those of you who are dismissing the concept of a secure interface are definitely missing the point.  Robert has done a GOOD job of trying to educate and raise awareness - while we certainly want to understand and quantify the risks when designing and implementing appropriate security controls - the responses I've seen from the community are actually pretty surprising.

<snip>

Using SSL login isn't a cure all for every security problem on the internet, that is just the marketing hype. It will not make a weak password more secure, nor will it close the browser window on a public terminal for you. It is one step in an overall security solution and because of the small chance that your password could be sniffed it is a very small step in an overall solution. There is a much greater risk that someone would guess your password or hit the back button in a browser window you left open than to find your password by sniffing. When people make statements like, "I really makes no sense for users to broadcast their userID and Passwords to the entire internet world when logging in." All it does is scare people in to thinking this larger than it really is. If geocaching.com ever offers a secure login I will use it. Until then I'm not going to get upset because there isn't a SSL login here.

Link to comment

To be honest, I'm a little surprised by my own opinion, but its how I feel. My opinion is basically summed up as follows:

 

1. Yep, a secure sign in process would be nice.

2. Would close a minor security hole, that isn't being even marginally exploited as far as anyone knows. This doesn't mean that no one is going to exploit it, or that it shouldn't be closed, but it does mean that it shouldn't be a priority.

3. The attack vector is very small. It requires someone be sniffing either an open Wireless network, or presumably poorly configured cable modem network (correct me if I'm wrong, but I don't think this is a universal problem...)

4. Face it, deleting all of someone's finds, or hides is going to take a lot of work, and really I don't think anyone would find it all that much fun. You might get a whole bunch of nasty log entries in your name (that is probably more fun for the attacker to do), but I think that is about it.

 

I'm not normally a proponent of leaving security holes around just because they aren't being exploited, but in this case, I think the attack vector is small enough that I don't really care one way or the other.

Link to comment

Ok, so I'm back from vacation now... and no one seems to have accessed my account and deleted all of my (few) finds. I've read through all of the replies, and here's my take on them.

 

I found many individuals seem to grasp the theory that no one would want to waste their time accessing an account on this site. What is there anyway that anyone would like to gain access to?

 

If you geocache, and you put photos up of your family, then your potentially putting your children at risk. If a pedophile (or some other degenerate, and yes, the're out there looking...) decides to hack your account because he likes the way your daughter or son looks, he then has coordinates to your house. One only has to remember the recent murder of a family and the kidnaping and murder of the little boy and the molestation and rape of the young girl only a few weeks ago (he was a Geocacher, by the way... did he maybe look at your kis pics??) to realize that we're all at risk. He stalked the family for weeks using night vision goggles to watch the family and plan his crime. While I know that by just going out of our homes, we put ourselves at risk, and that probably most of you will think that I'm an over protective a**, so be it. My brother in law is a detective which works cases involving child sexual abuse, and believe me, the're out there, and they're counting on you taking the "it's no big deal" attitude.

 

Encrypting the login is an easy way to add an extra layer of protection for the users of this family oriented site.

 

Nuff said...

 

Daddyo58

The Brair Patch Gang

Link to comment
<snip>

  Encrypting the login is an easy way to add an extra layer of protection for the users of this family oriented site.

<snip>

Sure, as AN extra layer. But don't let it give you false sense of security. If you are really woried about your family then you should upload photos of your children and you don't use your exact home lat and long.

 

Also the best way to keep someone from getting your password is not by using a secure login. It is by creating a secure password (upper and lower case letters, at least one number and one special character, no dictionary words) and change it frequently (every few months).

 

It is far more likely that someone would guess your password than sniff it. SSL protects from sniffing and not from someone correctly guessing your password.

 

The security of your passwords and ultimately your accounts are up to you and not the websites that you visit.

Link to comment
Guest
This topic is now closed to further replies.
×
×
  • Create New...