Is this secure?

Printable View

May 3rd, 2004, 12:28 PM
SpikeOut

Is this secure?

Are these login forms secure enough to prevent hackers from gaining access to accounts without any authorisation?

http://www.neopets.com/loginpage.phtml

http://www.neopets.com/neoadmin/
May 3rd, 2004, 01:51 PM
cacosapo

I think u missed password field at logon page!
May 3rd, 2004, 04:17 PM
wyred

The first page ins't ssl, so people could sniff packets for the password. Not sure about the second, but i think the password could be sniffed there too.
May 3rd, 2004, 04:19 PM
leapinglangoor

No He didn't miss the password field. Cant you read the paragh above it?
This is what it says:

Quote:

To log-in, please enter your username below.

Once you hit Log In to Neopets, you will be presented with a picture of one of your Neopets. If that pet is yours, enter your password to finish logging in. We do this to ensure the security of your account (and try and stop anybody who isn't you getting your Neopoints!)

If you are ever presented with a Neopet that isn't yours, or if the URL in the Address Bar is not www.neopets.com you are not logging into Neopets! Be sure to note the url and report it to us right away!

And coming to the point, did you take bruteforcing into consideration?
After three of some times, the account must be disabled for a few minutes.
May 3rd, 2004, 05:03 PM
cacosapo

sorry by my 1st post. ive changed the language and didnt notice that explanation. I was very dumb.
By the way, ive tried to enter an user at random. and the system gave "user unknown" like message. as leapinglangoor said, someone can just try a lot of combinations to find a valid userid. after the attacker can try to guess passwords.

I prefer systems that dont give to attacker a tip, such as "invalid user" or "invalid password". Can u change the logon screen to enter in https and ask user and password and the same screen? and one of them is wrong just say "user OR password is invalid".
other idea is to add that random images that contain string that must be typed to avoid script attacks.
If u never see that, take a look at here:
http://www.phpnuke.org/
u will see a "code" that must be re-typed
May 3rd, 2004, 05:52 PM
D0pp139an93r

Dude... It's just neopets.

They've done a fine job of securing the site considering its contents.
May 3rd, 2004, 08:01 PM
Lansing_Banda

I think they are fine. First off, no one is really gonna mess with your site. But I tested out the first one and it seems to be safe from SQL injection methods. You are using SQL arn't you?

As for the second one (admin) make sure the password is over 8 chars (uppercase, lowercase and a number or special character ¿ maybe) because after 8 most brute force password crackers just give up. And is this one a .htaccess or just javascript?
May 27th, 2004, 02:09 PM
unit321

i hear lots about people getting their neopets accounts hacked. neopets doesnt really care about it. and nothing is "secure enough" why are you so worried about neopets anyway?
so no, it isnt secure enough
even ssl can be sniffed and decoded right?
May 27th, 2004, 02:54 PM
brichards99

I'm impressed that you have both a short and a long version of the terms and conditions for the site . . .

I just ran a quick exodus analysis of the site and it seems pretty stable. The weak spot in the chain would be the complexity of your admin account IDs and passwords, as this would be a pretty easy site to apply a brute force attack to.

But again, who would try that hard?
May 27th, 2004, 02:59 PM
strandedthinker

why are you concerned about the security of the neopets login?