Concerned about my Privacy on EOS site.

Why are you able to see our passwords?

Surely this is a major security exploit which should be addressed as many people use the same passwords on other sites including banks etc.

Personally I find it a very worrying problem.

I would draw your attention to a post by "Sanchez1" who I believe is a member of staff on EOS on the following thread:

http://www.eyeonspain.com/forums/posts-long-8513.aspx

Quote from Sanchez1:

"xpatman/tobywoods123,

Not only are you posting from the same IP address, but your passwords are the same as well.

David

EOS Team"

I understand that it is important to cross reference ip addresses but to be able to see peoples passwords is a major concern for me and I'd imagine many others on here if they knew.

Care to comment on this?

What's more I remember on a couple of ocassions the site has been hacked or compromised recently.

Surely this now means that there is at least a possibility that our passwords have fallen into the wrong hands seeing as they are clearly not encrypted in any way shape or form.

VERY worrying.

Wow, EOS see our passwords ?

That's wrong, David (Sanchez1) VERY WRONG, & as delza, says, a major security issue.

Erm, how are they supposed to be able to respond to the inevitable "I've forgotten my password" type queries, without such information? Do you imagine that staff at your bank don't have access to your online banking password?

And, given that David only posted the information, not the passwords themselves, on a thread where it had been suggested that two trolls were in fact the same person, I can't really see what the problem is.

 I think you are worrying unnecessarily.

We don't hold any sensitive data and the databases are very highly protected.  The databases were never compromised in the server attack, it was just a server issue.  We have a managed firewall in place with our host company, Rackspace, which is a premium company offering a premium service.

As a rule of thumb you should NEVER use your online banking password for other websites.  I subscribe to hundreds of websites but I never use my most secret passwords on those sites.

If you are worried, then simply change your password to something else.

General websites like these don't tend to use encryption or secure servers as all our credit card payments are processed by third parties, so we never hold this information.

Let me know if you have any further questions.

Justin

"General websites like these don't tend to use encryption or secure servers as all our credit card payments are processed by third parties, so we never hold this information."

Sorry but this is absolute nonsense I design websites for a living, smaller and much bigger than this and I have never ever come across software that allows you to see peoples passwords.

Even the most basic of FREE forum software has password encryption where even the admins can not see the passwords and if a user did forget their password then the admins change it to something for them and tell them to change it again once they have logged in.

In my opinion this is a fundamental security flaw in the site and has me worried as I used the same password on here as I did to my email address which of course has sensitive information within it as I never imagined for the slightest that a site the size of EOS and that has been around for so long is so relaxed on the security front.

What happens if a member of staff suffers a malware attack and had a keyboard logger installed without their knowing? Someone gets their password on here thus EVERY SINGLE users passwords aswell..

To act so flipantly with peoples privacy is quite remakrable in my humble opinion.

This message was last edited by delza on 25/08/2009.

Delza, errmmmm, how do websites know when you have input the correct password???  I would think because it is stored there - and even if it is encrypted, there is always someone there to decrypt it, one would think.  Not all websites send a new password when you contact them about a "forgotten password", some remind you of your existing one.

Personally, unless you know the operating system, suggesting that just because you design websites makes you knowledgeable about such matters, and EOS flippant, seems a little excessive.  And I say this as my husband is an IT consultant, dealing with multi-million dollar licences for multi-national clients and he read your post, said "rubbish" and concurred with what I thought.

As has been indicated already by EOS, if you feel threatened in any way, change your password.  No big deal really!  Not remarkable!

Pityby,

I will not be drawn into a my website is bigger than your website or a I know more than you know and it's really rather pointless.

But needless to say I design internal intranets within a bank so yes I do not what I'm talking about when it comes to securing websites.

Passwords are decrypted on a sever level and using a specific algorithm only known to the people who write the software, sure this is hackable but it will deter 99.9999% of hackers.

To have absolutely no encryption for passwords is quite remarkable in this day and age, it's mind blowing to be honest.

ALL popular forum software and popular CMS products have encryption included and some have a hint based response but you have to input the hint yourself when signing up.

If you happen to forget your password then most SECURE software will reset your password with a temp one based on you having access to your email address then forces you to change the password when you have logged in.

It would NOT be a 'big deal' if there was a warning when you sign up to inform users of the lack of encryption.

 My friends have a property management business and people register on their website for access to the members area.  They tell me that they have access to all the data.  I really think it would be stupid if anyone uses the same password for their online banking as they do for forums and websites like that.  That's just irresponsible.

I have never had any issues with my name and email on the EOS site.

There are various threads on this site about one very large agent M*I who had their database of clients stolen and used for fraudulent purposes.  They are a big company and their database held a lot more information than just a name and email address and a password.  If someone really wants to cause harm they will, no matter what.

I have lost count as to how many times I have seen hacked PHPBB forums and wordpress blogs.  As Justin said, the site was never compromised during the server attack which shows that they have built a strong and relatively secure website.

If you are so worried delza why are you still using the website?  Just ask Justin to delete your account, I am sure he can do that.

@pitby, decryption is not necessary... you use a one-way encryption

i.e. you encrypt the password someone types in to log on, and then check it matches the encrypted form that you store on the server 

@hybridanglo, no bank staff do NOT have access to your password/pins etc, they simply have the ability to reset them.

as delza says, most (all is a tricky word to use ;)) server software these days supports encryption and password policies , but often the default is to use so called 'plain text' encryption, as its the easiest out of the box. but should never be used on production systems. just because others do it , does not make it correct... 

the issue is many people (incorrectly) use the same username and password on many sites, a bad idea indeed, as someone else said really you should use a number of username/passwords. i use one for 'casual' sites, another for sites with 'ordering', and yet others for online banking etc. 

remember...

just because im paranoid, doesnt mean they arent out to get me :) 

delza, this is a forum, not a banking or other secured website.  And if you develop intranets, you will know that it will always depend on the software used.  This has nothing to do with "my website is bigger than your website" - I'm not that small minded!

Obviously, you have a problem, so as barbarah says you can always deactivate your account if you feel so insecure, or just change your password - which possibly, with hindsight, you wouldn't have used the same as your email in the first place!!  As someone who obviously knew the consequences (as most of us do!!) of using the same password for sensitive information, that's what seems remarkable!

Don't knock EOS because you chose to be "flippant" with your password usage!!

 Delza, we take security and privacy very seriously.  Unlike off the shelf forums such as those you are referring to, the whole of EOS is a bespoke design which means that no-one knows how it's constructed and how it works.

In fact it was for this reason I chose to build the entire forum and blog facility from scratch to ensure that no one would be able to hack into the website.

Over the past five years we have built in various levels of security into the website as the it's grown and we have NEVER had an issue of anyone ever taking one bit of data from our backend.

I won't discuss on an open forum some of the excellent work we've done to protect all our hard work, ie, our databases.  I have put my heart and soul into this website for the past 5 years and to call me flipant means you really don't know me or what I believe in.  Do you think I would leave open to risk the actual heart of the website?

We were let down by our server company earlier in the year even though in three years we'd never had an issues with them.  That did worry us at the time so we moved to a premium company Rackspace, look them up, which costs nearly seven times as much each month.  Their level of security is on a par with our own level on the website.  I value privacy and security as much as you do.

Justin

yb wrote: "no bank staff do NOT have access to your password/pins etc, they simply have the ability to reset them."

Maybe not those on the end of a phone line, but as someone who managed a section of RBS's business before moving to Spain, I can assure you that I could access a customer's password and/or PIN. There were internal checks and balances to ensure that such priveleged information was not compromised, but those of us in a position of even marginal authority did have such access.

And considering that RBS Group includes RBS, NatWest, Ulster Bank, Coutts & Co, as well as providing financial services infrastructure for Virgin, Tesco and Mint (among others), that's a fair portion of the UK banking sector. 

With all due respect EOS  Team if your 'despoke' system is SQL based and anyone in their right mind would only design such a thing with an SQL DB then anyone with even basic SQL skills will just print off the password table and bobs your uncle..

Speechless is not the word tbh..

Well at least I now know and in my opinion it would be prudent to advise people when signing up.

I'm sorry delza but I think you are getting very paranoid.

We are NOT holding any critical information.  No credit card details, no addresses, no phone numbers, no bank account numbers....none of that.

If one day someone really desperately wanted to steal our database, and they managed to somehow get through various level of security, all they are going to get is a load of names and email addresses, and a load of passwords if they then want to log in as all those users and post away on the forum!

I mean take for example real estate agencies.  They have full client details on file.  Do you think all that data is secure and private?  Of course not and very often they have people's credit card numbers and bank account numbers.  The estate agency example stated below is a good example of that.  Someone always has access to whatever data there is.

And with regards to encrytion, most systems use only basic encryption.  When someone enters their password the system can read that and convert it to the encrypted format.  Someone has written a program to do it so it can be reveresed.  It is not 100% secure either.  Unless you are using a very high level of encryption and an SSL server then basic encryption isn't that brilliant anyway.  That's why with off the shelf OPEN SOURCE systems you have to keep them updated to prevent continuos hacking, something we don't need to worry about as our backend is not an open source application.

On a final point...if you are that unhappy then please don't use the website.  Let me know and I will delete your account and then you will have nothing to worry about at all.  I don't force people to use the website.

The site is here to help people, provide helpful information and bring people together.  I never thought I'd be classed as a criminal for doing that.

I'm am sure there are plently or real criminals out there that you could target instead.

Justin

Ok Dezla, If you have basic SQL skills. (Sounds like you might have) Send me my password.

I cannot understand what all the fuss is about, if someone wants my password they

are quite welcome, after all there is no money involved. I used to work for an IT company

so I do know what goes on, but will not go into all that. Might get accused of something.

Pat  

Cant understand the attack on EOS, this is a wonderful site, don't knock it, if you don't like it go find another one.

 I'm not an expert. However, surely it is basic common sense to use different passwords depending on the type of site? If anyone wants my password I'll give it to them. What anyone thinks they will find out from that I don't understand. Yes you might be able to log into other forums but that is it. My banking sites have a different password. However, I'm not a computer expert and no doubt someone is going to be able to make the link from one forum site with a password to my bank account with a different password. Yeah right! I wouldn't like to claim to be an expert if I had used the same passwords on different types of site!

@Patman.

I believe you're just trying to stir things up here as I clearly set out in a previous post scenarios of servers being or admin/moderators account being compromised thus leaving the system open to access to myphpadmin (or similar SQL admin software) and then the 'hacker' could just download the password field & email addresses and have a possible field day.

Please troll someone else as it's not going to work with me.

@Justin/EOS Team.

I'm sorry but all I was pointing out as the errors in your statements it is not a dig at you and not really about your site but my own personal opinion is that it IS mind blowing for a site this size not to have some sort of basic password encryption in place.

We're not talking about an estate agents website who has a few hundred email addresses on file here we're talking what I imagine thousands if not 10's of thousands.

And since a lot of the Expat related websites for estate agents are designed in 10 mins from popular CMS products then yes most of them do have some sort of password encryption.

That is not an attack on yourself nor your site, but just fact.

In my own defence yes I did use the same password as my email address that is associated with EOS but that email address is only used for similar sites to this so someone couldn't do much with it but out of the 1000's of users on EOS how many do you think do you the same password as their only email address or something similar? 

Working in this field and in this day and age I just automaticaly assumed a site like this would have had encryption as it is quite simple and inexpensive to implement and yes that is my fault and an error in judgement.

As I mentioned in my previous post I don't believe it to be 'wrong' to automatically assume in this day an age a site like this would have some sort of password encryption and as an end user for me personally I feel that a possible warning about this when signing up would be useful addition.

Obviously this is just my opinion and congratulations on what is (other than that) a fantastic website.