I have been concerned about this myself… here is a link.
http://boards.straightdope.com/sdmb/showthread.php?threadid=23388
I’ll refer this to the techs, although it’s been noted this is a feature you can disable in your profile settings.
your humble TubaDiva
Administrator
Thank you Tuba… sorry I didnt notice that particular feature that I was worried about before.
I’m a non-cookie user, and I think adjusting the browser memory option in your settings will not solve the problem.
First of all, whenever I reply, there is a “you are not logged in” page on which I have to enter my name and password. Having changed the “store username and password in browser memory” option to “no”, my password appears to continue to remain in the browser, but my username does not. After I get past the “you are not logged in” page, I then have to immediately reenter my name (though my password is remembered!?!). Also, my username and password continues to be passed as part of the URL for posting. For instance, the URL of this reply page is:
(actual password replaced by ******)
This was one of those things I didn’t want to bug about until the update bugs were clear, but it does worry me a great deal. (And the extra “you are not logged in” page annoys me a quite a bit, though it did so less when my “store username . . .” option was “yes” because I didn’t have to type my name twice in a row to post. I may switch my option back.)
Anyway, I think these are real security problems, particularly for non-cookie users.
I’m trying to duplicate what you had displayed . . . and I can’t; I’m getting a message totally different from yours with no password at all.
Not sure why this is happening at all; I’ll refer this to the techs for further examination.
your humble TubaDiva
Administrator
FYI, I’m using Netscape 4.7, and I don’t have the UN & PW showing in the address, so maybe this is a browser-specific problem??? I do have the PW stored.
It should be noted that, if you’re worried about packet sniffing, whether or not the username & password appear in the URL makes no difference as far as security goes. Both the old and new boards send your username & password in cleartext. Any BB that does not use SSL for authentication will do this. The new one is just making it more obvious to the user that this is being done.
If you’re worried about your password being sniffed, the best thing you can do is to use a unique password for this site (so if someone finds out your password all they can do is use your account here).
The newest version of vBulletin 1.1.1 is available. Among one of the fixes is the following ‘Passwords are encrypted in the cookie’. Will this do anything about passwords being sent in cleartext in a URL if you’ve decided not to use cookies? I’m not sure. I’ll be testing the software today and if it performs as expected I’ll be installing it so that we can get other fixes in place.
Jerry
I did what you said and checked the “do not store username and password in browser button” Now when I come on and try to post my PASSWORD is already typed in and my USERNAME is not. Somehow that is backwards. This happens with netscape at home and IE at work, so I dont think its a browser issue. Just wanted to make sure that this issue is known.
Very few (if any) places in cyberspace are truly secure.
Bobort’s hint is worth quoting:
your humble TubaDiva
Administrator