Quote:
Originally Posted by pokergrader
I would just like to note the "security" updates put in place are lucklaster.
Passwords are hashed with MD5 on the client-side before being sent. OK, that is better than being sent in plaintext, however, this is not the approach real websites use to secure user information. They do the following:
1) Ensure there is an encrypted connection everytime a password is being sent. 2+2 does not do this. Setting up SSL is neither expensive nor complicated, and 2+2 should do it if it cares about securing people's accounts. If somebody logs into 2+2 via a wireless connection for example, it doesn't matter that the login form is only sending a hash, I can just snoop the hash and then login with it. I don't know the person's password, but I know their password hash which is just as good. 2+2 should use an encrypted login form to prevent people from snooping login information.
2) Store the password hash using a strong hashing algorithm. There is no way to know if 2+2 is doing this or not, but given the history of what just happened I'm assuming they are probably just taking the client-side hashing and storing that, which would be very bad. MD5 is a weak and broken hashing algorithm, and there is no reason it should be used for cryptography anymore.
3) Good websites *never* sent passwords in plaintext in emails. This is especially comical for 2+2 because after you verify your email and are sent to a webpage, that webpage just emails you a password. The correct way would be for that page to securely allow you to set your password instead of emailing you a temporary one.
i agree with this. like i said before i had to change my twitter password, nothing more, but security should be top priority for any site that uses a login honestly.\, even if for a poker forum, or a joke forum like Ebaums or 9gag or something.
