-
May 3rd, 2004, 12:28 PM
#1
Junior Member
Is this secure?
Are these login forms secure enough to prevent hackers from gaining access to accounts without any authorisation?
http://www.neopets.com/loginpage.phtml
http://www.neopets.com/neoadmin/
-
May 3rd, 2004, 01:51 PM
#2
I think u missed password field at logon page!
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 3rd, 2004, 04:17 PM
#3
Member
The first page ins't ssl, so people could sniff packets for the password. Not sure about the second, but i think the password could be sniffed there too.
-
May 3rd, 2004, 04:19 PM
#4
Member
No He didn't miss the password field. Cant you read the paragh above it?
This is what it says:
To log-in, please enter your username below.
Once you hit Log In to Neopets, you will be presented with a picture of one of your Neopets. If that pet is yours, enter your password to finish logging in. We do this to ensure the security of your account (and try and stop anybody who isn't you getting your Neopoints!)
If you are ever presented with a Neopet that isn't yours, or if the URL in the Address Bar is not www.neopets.com you are not logging into Neopets! Be sure to note the url and report it to us right away!
And coming to the point, did you take bruteforcing into consideration?
After three of some times, the account must be disabled for a few minutes.
There are 10 kinds people on Earth.
Those who know Binary and those who dont.
[flip]4675636B207468652064616D6E20626C6F6F6479206861636B65642D757020776F726C6400[/flip]
-
May 3rd, 2004, 05:03 PM
#5
sorry by my 1st post. ive changed the language and didnt notice that explanation. I was very dumb.
By the way, ive tried to enter an user at random. and the system gave "user unknown" like message. as leapinglangoor said, someone can just try a lot of combinations to find a valid userid. after the attacker can try to guess passwords.
I prefer systems that dont give to attacker a tip, such as "invalid user" or "invalid password". Can u change the logon screen to enter in https and ask user and password and the same screen? and one of them is wrong just say "user OR password is invalid".
other idea is to add that random images that contain string that must be typed to avoid script attacks.
If u never see that, take a look at here:
http://www.phpnuke.org/
u will see a "code" that must be re-typed
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 3rd, 2004, 05:52 PM
#6
Dude... It's just neopets.
They've done a fine job of securing the site considering its contents.
Real security doesn't come with an installer.
-
May 3rd, 2004, 08:01 PM
#7
I think they are fine. First off, no one is really gonna mess with your site. But I tested out the first one and it seems to be safe from SQL injection methods. You are using SQL arn't you?
As for the second one (admin) make sure the password is over 8 chars (uppercase, lowercase and a number or special character ¿ maybe) because after 8 most brute force password crackers just give up. And is this one a .htaccess or just javascript?
You shall no longer take things at second or third hand,
nor look through the eyes of the dead...You shall listen to all
sides and filter them for your self.
-Walt Whitman-
-
May 27th, 2004, 02:09 PM
#8
Member
i hear lots about people getting their neopets accounts hacked. neopets doesnt really care about it. and nothing is "secure enough" why are you so worried about neopets anyway?
so no, it isnt secure enough
even ssl can be sniffed and decoded right?
if you have time be sure to drop my my website at www.johnscompany.net
-
May 27th, 2004, 02:54 PM
#9
Member
I'm impressed that you have both a short and a long version of the terms and conditions for the site . . .
I just ran a quick exodus analysis of the site and it seems pretty stable. The weak spot in the chain would be the complexity of your admin account IDs and passwords, as this would be a pretty easy site to apply a brute force attack to.
But again, who would try that hard?
-
May 27th, 2004, 02:59 PM
#10
Senior Member
why are you concerned about the security of the neopets login?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|