• Welcome to ScubaBoard


  1. Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

    Benefits of registering include

    • Ability to post and comment on topics and discussions.
    • A Free photo gallery to share your dive photos with the world.
    • You can make this box go away

    Joining is quick and easy. Login or Register now by clicking on the button

Aggressor website: CAUTION

Discussion in 'Aggressor Adventures' started by Mike Walker, Nov 3, 2019.

  1. Mike Walker

    Mike Walker Contributor

    172
    189
    I'm currently in the process of improving my personal password practices which involves creating unique randomized passwords for every site.

    While updating my password for Aggressor, however, I ran into something interesting: my old password displayed back to me in clear text completely unprompted. This is a very, very bad indicator and suggests that their site is storing passwords either unencrypted or with reversible encryption and potentially poses a security risk for everyone who uses the site (i.e. if they get compromised your password is now freely available to whomever did the hack - if you've reused that password you then have big issues; Also, their staff can potentially view your password.). One has to wonder if credit card data is treated similarly?

    Anyways, they would hardly be the first to do this... reality is, your data is probably already compromised by one of the many breaches that have happened in the past from much bigger companies (if you do reuse passwords). The process to fix this is labour intensive (and what I'm doing right now). But, for those concerned with password best practices and general online security you may want to review what data you have stored in their system.

    (Happy to be proven wrong here, but on the surface it does not look like good practices are being followed)
     
  2. Hoag

    Hoag Contributor

    # of Dives: 200 - 499
    Location: SW Ontario - Just outside of the GTHA
    1,926
    1,657
    You make some very good points. I have been told by someone who deals a lot in the cyber security field that if passwords are not at least 13 characters or more, then they have already been broken. (That is not to say that "your" info has been hacked, only that every possible password with fewer than 13 characters has been broken.) He recommended an app called "1Password" that is a password manager. It can assign random passwords to all of your logins and all you have to do is to have one master password to access the app from that you remember.

    This doesn't address the issue of any website displaying a password in plain text, but it can assist greatly as you change/update all of your passwords in the future.
     
  3. Mike Walker

    Mike Walker Contributor

    172
    189
    1password is one of several tools (I use Dashlane) that allow you to effectively manage passwords and, most importantly, assign unique randomized passwords to every account such that a single compromised account has no impact on the others. There are many options and they all have plusses and minuses, but using any one of them is far batter than reusing passwords.

    Everything in security/encryption is effort vs. reward. Yes, short passwords are crackable but no one cares enough about your scuba cruise details to bother cracking your login to a single site (such as Agressor's). However, if they can get all accounts and all passwords with a single action (as would be the case with passwords stored in clear text or reversible encryption) then they may choose to do so if there are enough accounts at stake. Odds are some people use the same login/password at their bank or other target with potential for high reward.

    Very few organizations are implementing true best practices as the time and cost to develop and implement those solutions is high. The best we can hope for from most small businesses is a 'best effort'. However, what I saw here is indicative of 'no effort' and does not even meet good practice from 15 years ago.

    (In very broad terms the 'correct' way to do this is to have the system store a 'hash' which can be used to compare against a user entered password and authenticate but cannot be reversed into the original password. This is where the math/cryptography comes in.)
     
    HKGuns and Plungee like this.
  4. HKGuns

    HKGuns Contributor

    # of Dives: 25 - 49
    Location: Merica
    647
    605
    My advice is to be very careful about even creating accounts. I usually check out as a guest now instead of providing them personal information to store and have taken. The security of these small companies is utterly atrocious.

    If you must create and account, make your password long enough that it takes too long to crack. Hashes are easily cracked, 26 characters is pretty much crack proof, but even shorter will take them long enough where they lose patience on getting your credentials.

    I use 1Password as well, but the best defense is to simply say no. Bonus is you don't get spammed when they sell your information for an extra buck.

    #IWentNo
     
    Redfoot, Khrissi and Hoag like this.

Share This Page