Results 1 to 10 of 10

Thread: Is this secure?

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    1

    Is this secure?

    Are these login forms secure enough to prevent hackers from gaining access to accounts without any authorisation?

    http://www.neopets.com/loginpage.phtml

    http://www.neopets.com/neoadmin/

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    I think u missed password field at logon page!
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    The first page ins't ssl, so people could sniff packets for the password. Not sure about the second, but i think the password could be sniffed there too.

  4. #4
    Member
    Join Date
    Nov 2003
    Posts
    33
    No He didn't miss the password field. Cant you read the paragh above it?
    This is what it says:
    To log-in, please enter your username below.

    Once you hit Log In to Neopets, you will be presented with a picture of one of your Neopets. If that pet is yours, enter your password to finish logging in. We do this to ensure the security of your account (and try and stop anybody who isn't you getting your Neopoints!)

    If you are ever presented with a Neopet that isn't yours, or if the URL in the Address Bar is not www.neopets.com you are not logging into Neopets! Be sure to note the url and report it to us right away!
    And coming to the point, did you take bruteforcing into consideration?
    After three of some times, the account must be disabled for a few minutes.
    There are 10 kinds people on Earth.
    Those who know Binary and those who dont.

    [flip]4675636B207468652064616D6E20626C6F6F6479206861636B65642D757020776F726C6400[/flip]

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    sorry by my 1st post. ive changed the language and didnt notice that explanation. I was very dumb.
    By the way, ive tried to enter an user at random. and the system gave "user unknown" like message. as leapinglangoor said, someone can just try a lot of combinations to find a valid userid. after the attacker can try to guess passwords.

    I prefer systems that dont give to attacker a tip, such as "invalid user" or "invalid password". Can u change the logon screen to enter in https and ask user and password and the same screen? and one of them is wrong just say "user OR password is invalid".
    other idea is to add that random images that contain string that must be typed to avoid script attacks.
    If u never see that, take a look at here:
    http://www.phpnuke.org/
    u will see a "code" that must be re-typed
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    Dude... It's just neopets.

    They've done a fine job of securing the site considering its contents.
    Real security doesn't come with an installer.

  7. #7
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    I think they are fine. First off, no one is really gonna mess with your site. But I tested out the first one and it seems to be safe from SQL injection methods. You are using SQL arn't you?

    As for the second one (admin) make sure the password is over 8 chars (uppercase, lowercase and a number or special character ¿ maybe) because after 8 most brute force password crackers just give up. And is this one a .htaccess or just javascript?
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  8. #8
    i hear lots about people getting their neopets accounts hacked. neopets doesnt really care about it. and nothing is "secure enough" why are you so worried about neopets anyway?
    so no, it isnt secure enough
    even ssl can be sniffed and decoded right?
    if you have time be sure to drop my my website at www.johnscompany.net

  9. #9
    I'm impressed that you have both a short and a long version of the terms and conditions for the site . . .

    I just ran a quick exodus analysis of the site and it seems pretty stable. The weak spot in the chain would be the complexity of your admin account IDs and passwords, as this would be a pretty easy site to apply a brute force attack to.

    But again, who would try that hard?

  10. #10
    Senior Member
    Join Date
    Feb 2003
    Posts
    105
    why are you concerned about the security of the neopets login?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •