Niss Posted July 1, 2020 Report Share Posted July 1, 2020 Weak Password Policy :-In your Website the user are able to use the same password as their user name for eg. the user name is pentest123@ and user can set their password as pestent123@ these type of passwords can be easily guessedHow to Fix this issue ? :-prevent users to use their username as their password Link to comment Share on other sites More sharing options...
Niss Posted July 2, 2020 Author Report Share Posted July 2, 2020 Any update on this Link to comment Share on other sites More sharing options...
Mychael Posted July 2, 2020 Report Share Posted July 2, 2020 I wouldn't worry too much about your account on a very niche game. Also its 2020, at this point it's kinda on you to understand the basics when it comes to password security. Besides, if I wanted to get into your account, I wouldn't be making guesses like that, I would be using a dictionary attack or brute force. I recommend https://howsecureismypassword.net for a rough idea of how well your password should hold up. Link to comment Share on other sites More sharing options...
Tech_Rabbit Posted July 6, 2020 Report Share Posted July 6, 2020 On 7/2/2020 at 12:34 PM, Mychall said: I wouldn't worry too much about your account on a very niche game. Also its 2020, at this point it's kinda on you to understand the basics when it comes to password security. Besides, if I wanted to get into your account, I wouldn't be making guesses like that, I would be using a dictionary attack or brute force. I recommend https://howsecureismypassword.net for a rough idea of how well your password should hold up. You are making a lot of assumptions. As a security engineer, it is not the responsibility of just the user to make sure passwords meet standards. A lot of passwords come from places with poor password policies and you cannot say this game will be niche forever. You can't also assume the way someone will try to get passwords, there are many other ways than just dictionary attacks. People like you shouldn't be downplaying any security risk. Tyron would be devastated I bet if his project was destroyed because of something that could have been prevented. Link to comment Share on other sites More sharing options...
Feone Varen Posted July 7, 2020 Report Share Posted July 7, 2020 15 hours ago, Tech_Rabbit said: You are making a lot of assumptions. As a security engineer, it is not the responsibility of just the user to make sure passwords meet standards. A lot of passwords come from places with poor password policies and you cannot say this game will be niche forever. You can't also assume the way someone will try to get passwords, there are many other ways than just dictionary attacks. People like you shouldn't be downplaying any security risk. Tyron would be devastated I bet if his project was destroyed because of something that could have been prevented. While downplaying security risks isn't a good thing we also shouldn't be exagerating problems. The reason this is an issue is because it allows some publicly visible information associated with the account to be used as a supposedly secret password, which makes it more likely someone could get into your account. It has nothing to do with leaking passwords, the information used as password in this case is already public. Link to comment Share on other sites More sharing options...
Tech_Rabbit Posted July 7, 2020 Report Share Posted July 7, 2020 5 hours ago, Feone Varen said: While downplaying security risks isn't a good thing we also shouldn't be exagerating problems. The reason this is an issue is because it allows some publicly visible information associated with the account to be used as a supposedly secret password, which makes it more likely someone could get into your account. It has nothing to do with leaking passwords, the information used as password in this case is already public. How was I exaggerating the problem? Link to comment Share on other sites More sharing options...
Mychael Posted July 7, 2020 Report Share Posted July 7, 2020 All I'm saying is that Tyron probably has a lot more productive things to do than fix a security issue that only affects next to nobody. The user base here is small, the game is relatively unknown. I feel like assuming nobody cares about your password here is a very reasonable assumption. There are games with much larger user bases and much worse security issues. Password sensitivity is the last thing to worry about when it comes to account security. Its the equivalent of putting a lock on your bike. It'll stop an honest person, but anyone with the right tools will have your bike if they really wanted it. Unless passwords are stored in plaintext on the server I don't think Tyron should be worrying about anything other than features and bugfixes for his game. Link to comment Share on other sites More sharing options...
Tyron Posted July 8, 2020 Report Share Posted July 8, 2020 Nyeaaaah, not quite. I do find it important that the software the player interacts with is decently secured. I did now set a minimum strength password policy for the site due to this report, as it was quite easy to do so. 2 Link to comment Share on other sites More sharing options...
Recommended Posts