Jump to content

Vulnerability report


Niss
 Share

Recommended Posts

Weak Password Policy :-
In your Website the user are able to use the same password as their user name for eg. the user name is pentest123@ and user can set their password as pestent123@ these type of passwords can be easily guessed

How to Fix this issue ? :-
prevent users to use their username as their password  

Link to comment
Share on other sites

I wouldn't worry too much about your account on a very niche game. Also its 2020, at this point it's kinda on you to understand the basics when it comes to password security. Besides, if I wanted to get into your account, I wouldn't be making guesses like that, I would be using a dictionary attack or brute force. 

I recommend https://howsecureismypassword.net for a rough idea of how well your password should hold up.

Link to comment
Share on other sites

On 7/2/2020 at 12:34 PM, Mychall said:

I wouldn't worry too much about your account on a very niche game. Also its 2020, at this point it's kinda on you to understand the basics when it comes to password security. Besides, if I wanted to get into your account, I wouldn't be making guesses like that, I would be using a dictionary attack or brute force. 

I recommend https://howsecureismypassword.net for a rough idea of how well your password should hold up.


You are making a lot of assumptions. As a security engineer, it is not the responsibility of just the user to make sure passwords meet standards. A lot of passwords come from places with poor password policies and you cannot say this game will be niche forever. You can't also assume the way someone will try to get passwords, there are many other ways than just dictionary attacks. People like you shouldn't be downplaying any security risk. Tyron would be devastated I bet if his project was destroyed because of something that could have been prevented.

Link to comment
Share on other sites

15 hours ago, Tech_Rabbit said:


You are making a lot of assumptions. As a security engineer, it is not the responsibility of just the user to make sure passwords meet standards. A lot of passwords come from places with poor password policies and you cannot say this game will be niche forever. You can't also assume the way someone will try to get passwords, there are many other ways than just dictionary attacks. People like you shouldn't be downplaying any security risk. Tyron would be devastated I bet if his project was destroyed because of something that could have been prevented.

While downplaying security risks isn't a good thing we also shouldn't be exagerating problems.

The reason this is an issue is because it allows some publicly visible information associated with the account to be used as a supposedly secret password, which makes it more likely someone could get into your account.

It has nothing to do with leaking passwords, the information used as password in this case is already public.

 

 

Link to comment
Share on other sites

5 hours ago, Feone Varen said:

While downplaying security risks isn't a good thing we also shouldn't be exagerating problems.

The reason this is an issue is because it allows some publicly visible information associated with the account to be used as a supposedly secret password, which makes it more likely someone could get into your account.

It has nothing to do with leaking passwords, the information used as password in this case is already public.

 

 

How was I exaggerating the problem? 

Link to comment
Share on other sites

All I'm saying is that Tyron probably has a lot more productive things to do than fix a security issue that only affects next to nobody. The user base here is small, the game is relatively unknown. I feel like assuming nobody cares about your password here is a very reasonable assumption. There are games with much larger user bases and much worse security issues. 

Password sensitivity is the last thing to worry about when it comes to account security. Its the equivalent of putting a lock on your bike. It'll stop an honest person, but anyone with the right tools will have your bike if they really wanted it. 

Unless passwords are stored in plaintext on the server I don't think Tyron should be worrying about anything other than features and bugfixes for his game.

Link to comment
Share on other sites

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.