[thesite] aeo: login page, security risk?
Garrett Coakley
garrett at polytechnic.co.uk
Thu Aug 30 04:27:44 CDT 2001
On Thu, 30 Aug 2001 10:25:10 +0930, "isaac" <isaac at members.evolt.org>
wrote:
> It's certainly a valid concern. Not particularly crucial given that
> usernames are listed on WEO openly, but still...
Well, although the usernames are there on weo, you have no way of
knowing who out of the total membership is authorised to access
aeo. I'm thinking more from the point of view of someone outside
of the evolt group.
For someone with "bad intentions" who has stumbled across aeo, right off
the bat they have a list of people they know who can access this
resource (and even better, it has 'admin' in the url, so there's got to
be something juicy behind the authentication procedure right?).
Their next step is going to be finding the second half of the key. They
might hunt round the rest of the evolt network, linking usernames to a
personality. Do they mention family members or pets on thechat archives?
What clues can we glean from their articles / other websites. These are
all valid methods for working out passwords.
Social engineering and a night class in psychology can often be much
more effective than a copy of SATAN and the Cracklib libraries.
> Maybe the solution is to dump the dropdown and go with two text
> inputs, and provide some text that outlines the differences between a
> WEO and AEO login?
I would go one step further. Just have the two input boxes, nothing
else. When someone is given access to aeo, send them an email with those
sort of instructions in it. Leave the front of aeo a blank canvas. Don't
give them anything to latch onto.
(I'd advocate getting rid of the tbtnbthingy and links to the rest of
the evolt network on that front page as well. But thats just me *:)
G.
--
----------------------------------------------------------------------------
WORK: http://spiked.co.uk/
PLAY: http://polytechnic.co.uk/
More information about the thesite
mailing list