Jump to content

Vulnerability report

Niss

By Niss
in Bugs (archived)

Recommended Posts

Niss Wolf Bait

Niss

Posted
Posted

Weak Password Policy :-
In your Website the user are able to use the same password as their user name for eg. the user name is pentest123@ and user can set their password as pestent123@ these type of passwords can be easily guessed

How to Fix this issue ? :-
prevent users to use their username as their password  

Tech_Rabbit Bronze Caster

Tech_Rabbit

Posted
Posted
On 7/2/2020 at 12:34 PM, Mychall said:

I wouldn't worry too much about your account on a very niche game. Also its 2020, at this point it's kinda on you to understand the basics when it comes to password security. Besides, if I wanted to get into your account, I wouldn't be making guesses like that, I would be using a dictionary attack or brute force. 

I recommend https://howsecureismypassword.net for a rough idea of how well your password should hold up.


You are making a lot of assumptions. As a security engineer, it is not the responsibility of just the user to make sure passwords meet standards. A lot of passwords come from places with poor password policies and you cannot say this game will be niche forever. You can't also assume the way someone will try to get passwords, there are many other ways than just dictionary attacks. People like you shouldn't be downplaying any security risk. Tyron would be devastated I bet if his project was destroyed because of something that could have been prevented.

Feone Varen Stone Age Settler

Feone Varen

Posted
Posted
15 hours ago, Tech_Rabbit said:


You are making a lot of assumptions. As a security engineer, it is not the responsibility of just the user to make sure passwords meet standards. A lot of passwords come from places with poor password policies and you cannot say this game will be niche forever. You can't also assume the way someone will try to get passwords, there are many other ways than just dictionary attacks. People like you shouldn't be downplaying any security risk. Tyron would be devastated I bet if his project was destroyed because of something that could have been prevented.

While downplaying security risks isn't a good thing we also shouldn't be exagerating problems.

The reason this is an issue is because it allows some publicly visible information associated with the account to be used as a supposedly secret password, which makes it more likely someone could get into your account.

It has nothing to do with leaking passwords, the information used as password in this case is already public.

 

 

Tech_Rabbit Bronze Caster

Tech_Rabbit

Posted
Posted
5 hours ago, Feone Varen said:

While downplaying security risks isn't a good thing we also shouldn't be exagerating problems.

The reason this is an issue is because it allows some publicly visible information associated with the account to be used as a supposedly secret password, which makes it more likely someone could get into your account.

It has nothing to do with leaking passwords, the information used as password in this case is already public.

 

 

How was I exaggerating the problem? 

Tyron Historian

Tyron

Posted
Posted

Nyeaaaah, not quite. I do find it important that the software the player interacts with is decently secured. I did now set a minimum strength password policy for the site due to this report, as it was quite easy to do so.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.