Starting Out wrote:Site says not secure, am I open to viruses?
That warning which is new in Firefox and Chrome is a bit ambiguous and will be eliminated as soon as I move the site to https. The same vulnerability existed here for the last 12 years and would exist on any other site that does not employ https for logins. If you are not using Firefox or Chrome you will not see that warning.
https://arstechnica.com/information-tec ... -insecure/
They have a point but it may not be clear to many people what the warning is about. When you type your password in and then submit it's sent as plaintext when using http. If that information is intercepted by someone in transit it can be read. For example, suppose you are at coffee shop using their public wifi. The person in control of that wifi router can intercept your username and password.
The consequences of this can depend. I've preached it before and I'll continue preaching it, DO NOT use the same password on this site you use elsewhere. This should be standard practice for everyone, for every site* no matter what. Whether your password is intercepted in transit or the server is breached that will leave other accounts you have vulnerable. If they know your username, email and password here someone could try that password for your email account. If that password is only being used here at most the consequences is someone obtaining access to your account here.
When I move the site to https the threat of having your password intercepted will be eliminated and you won't see that warning anymore.
It will not eliminate the possibility of it being exposed if the server is hacked. In the 12 years I have been running this forum I'm not aware of the server being breached. That does not mean 100% it didn't happen or it won't happen. For security reasons your password is encrypted in the database, even I can't tell you what it is. If a hacker obtains the database they would have a great deal of difficulty obtaining those passwords. That said it would be a trivial matter to obtain them by modifying the scripts. That would be a pointless and reckless exercise for me to do it, not so for someone that hacked the server.
More information here on managing your passwords:
* Obviously there may be some sites where this is irrelevant. Just insure that when you use the same password on different sites the exposure of that password is inconsequential.