I just noticed today that when logging in, the URL is http://… not https://…
So, are our passwords being sent in plain text?
No, the passwords are not sent in plaintext, only the hash sum of the password is sent. This is made possible by a javascript hash function that executes in the browser at the users side of the connection. Everything else is sent unencrypted (as plaintext).
This is not as secure as an encrypted connection (indicated by https://…), but better than none at all.
Do you know if the hash is salted?
No, I don’t know. I can’t see anything that looks like it’s being salted, but I’m not that good at Javascript (or determined) that I can rule it out.
The Javascript function in question is at http://boards.straightdope.com/sdmb/clientscript/vbulletin_md5.js and its usage is visible from the html source of the login pages for the curious. There’s probably a manual of some sort for vBulletin that could tell us.
For everyone concerned: Never use the same password for more than one website. Failing that - at least tack something new to the end of your standard one each time.
I know i should do this, but just in practice i never do. Which is why i am concerned about this board’s security.
Then it’s probably not “best practices” that you broadcast that fact on a public forum.
Well, when i noticed that this board’s wasn’t encrypted, i changed my password on this site to something unique. So, i think i’m ok.
That’s what I do. Each site gets my main password plus the first two letters of their domain name.
And when an email is involved, I use my websites’ open naming where I can add any number of aliases. Each site gets their own domain name as the user name followed by @mydomain.org Thus, should spam start to arrive from a site, I know for sure it was them that passed out my email, and on top I can block it easily with a filter.