The Official Forum  

Go Back   The Official Forum > Basketball
Register FAQ Community Calendar Today's Posts Search

Reply
 
LinkBack Thread Tools Rate Thread Display Modes
  #1 (permalink)  
Old Fri Jan 09, 2015, 12:47am
Official Forum Member
 
Join Date: Oct 2007
Posts: 785
If they can include the password in the e-mail, that means they are also storing it in plain text. Another no-no.
Reply With Quote
  #2 (permalink)  
Old Fri Jan 09, 2015, 02:15am
Archaic Power Monger
 
Join Date: Mar 2007
Location: Houston, TX
Posts: 5,983
Quote:
Originally Posted by Altor View Post
If they can include the password in the e-mail, that means they are also storing it in plain text. Another no-no.
This. That's a pretty serious issue that needs to be rectified immediately.
__________________
Even if you’re on the right track, you’ll get run over if you just sit there. - Will Rogers
Reply With Quote
  #3 (permalink)  
Old Fri Jan 09, 2015, 07:59am
Official Forum Member
 
Join Date: Oct 2014
Location: FL
Posts: 169
Nevada,

Thank you for sharing. That is not an acceptable security level. I have sent an email as well.
Reply With Quote
  #4 (permalink)  
Old Fri Jan 09, 2015, 09:17am
Official Forum Member
 
Join Date: Oct 2007
Posts: 785
Just checking on other things Arbiter. I went to https://nfhs.arbitersports.com and clicked the "forgot password" link. That took me to a site that looks like it is a single authentication point for all Arbiter sites. I typed my address in the box. They sent me my current password!

It's not just ArbiterPay. If you have an Arbiter account of any kind, this affects you.

If you are one of those people that has the same password everywhere, I suggest you change it everywhere. And when you change your Arbiter password, use a different password.

Even better: Don't use the same password twice. Instead use a password database like KeePass or LastPass.

Last edited by Altor; Fri Jan 09, 2015 at 09:19am.
Reply With Quote
  #5 (permalink)  
Old Fri Jan 09, 2015, 02:31pm
Official Forum Member
 
Join Date: Aug 1999
Location: In the offseason.
Posts: 12,263
The fact that they can send you your password in an email when you change it doesn't necessarily mean they store it in plain text. They could insert it into the email prior to transforming it and storing it.

The fact that they can send you your password by email at a later time also doesn't mean they're storing it in plain text. Data can be encrypted and stored and then decrypted when needed. They very well may be storing the passwords in an encrypted form that is not directly useful to a hacker or malicious employee. But, they are using a 2-way encryption method that allows the data to be decrypted. There will be a "key" that is used to encrypt and decrypt the data. If someone gets the data and the key, then they have the passwords.

The right way to handle passwords (and the way I handle passwords) is to use a 1-way hash on the password before storage. This method is not new and is used by a lot of websites.

When passwords are stored that way, it is impossible to ever determine what the person's password is. I have direct access to the database and the programming of reftown.com and even I can't tell what the actual password is for any of my users.

When a someone sets a password, it is passed through a 1-way encryption and then stored. When they log in, the attempted password is also passed through the 1-way encryption. If the two encrypted values match (the one from the database and the one from the attempted password), the user is allowed in.

This implies that the only way to get someone's password from such a system is to either intercept it before it gets to the server (using https solves that) or guessing at the password and seeing if it creates a match after encrypting. Using long and complicated passwords essentially makes that impossible.

What that also implies is that you have to reset your password if you ever forget it. There are a few ways to do that. You can use temporary passwords that require a change on the first use. Or, you can use 1-time use password reset links that give the user a password and allow them to change it.

Any website that can send you your password is not storing your password as securely as is possible. If it is recoverable, then a hacker can potentially download the entire user list and see everyone's password. If you use the same password at other sites, then every account you use it at is potentially compromised.
__________________
Owner/Developer of RefTown.com
Commissioner, Portland Basketball Officials Association

Last edited by Camron Rust; Fri Jan 09, 2015 at 02:36pm.
Reply With Quote
  #6 (permalink)  
Old Fri Jan 09, 2015, 03:40pm
LRZ LRZ is offline
Official Forum Member
 
Join Date: Mar 2014
Location: SE PA
Posts: 768
What is a "1-way hash"?
Reply With Quote
  #7 (permalink)  
Old Fri Jan 09, 2015, 03:45pm
In Time Out
 
Join Date: Nov 2008
Posts: 794
When I first singed up for Arbiter I was perplexed with their lack of complex security especially with SSN. I emailed my concerns years back and it seems like the problems still remain especially with encryption. I could be wrong because I don't know what is going on behind the scenes but it just seems with the personal info on there they need to improve their cyber security a lot.
Reply With Quote
  #8 (permalink)  
Old Fri Jan 09, 2015, 04:41pm
Archaic Power Monger
 
Join Date: Mar 2007
Location: Houston, TX
Posts: 5,983
Quote:
Originally Posted by LRZ View Post
What is a "1-way hash"?
Basically it's like a one way valve for encryption. Passwords sent to the server (in this case Arbiter) are transformed into output that is jibberish to a person but can be understood by the program that has the right key. It's one way because the converted data cannot be transformed back into the original password and sent back to anybody requesting it.

It's like the roach motel of passwords.

http://www.webopedia.com/TERM/O/one-..._function.html
__________________
Even if you’re on the right track, you’ll get run over if you just sit there. - Will Rogers
Reply With Quote
  #9 (permalink)  
Old Fri Jan 09, 2015, 07:40pm
Official Forum Member
 
Join Date: Aug 1999
Location: In the offseason.
Posts: 12,263
Quote:
Originally Posted by LRZ View Post
What is a "1-way hash"?
It is a transformation of the data from one form to another cryptic form such that you can never reverse the operation. I could give you my password in the transformed format and, even if you had a powerful computer working on it for years, you'd never be able to figure out the original password....even if you knew the exact algorithm I used to transform it.

The only thing you can do with it is use it to confirm that newly supplied information is the same as previously supplied information.

It goes like this:

1. You set a new password.....abc123
2. That password gets converted to dlkVj08.9Auf3@uQl839&dRsa
3. That converted value is stored in the database with your username
4. Later, you log in and provide abc123 as your password
5. The system converts that in to the same as above (the conversion is repeatable).
6. Since you provided the same password as you set up in step 1, the converted values will match and you are allowed in.

A similar technique is used to sign documents or files for downloads. The publisher of the file provides and MD5 checksum (and it is only 32 ascii characters long). If you get the file from an alternate source and check the MD5 of the file you recieved and it matches the one provided by the original publisher, you can be assured that the entire file is the exactly the same. Change even one character anywhere in the file and the MD5 checksum changes dramatically.
__________________
Owner/Developer of RefTown.com
Commissioner, Portland Basketball Officials Association
Reply With Quote
Reply

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Flaw in rules? largeone59 Football 17 Sun Jan 15, 2006 09:28pm
Flaw in new loss of down rule! ljudge Football 12 Tue Sep 06, 2005 02:21pm


All times are GMT -5. The time now is 11:18pm.



Search Engine Friendly URLs by vBSEO 3.3.0 RC1