If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.
I was just curious. We're in 2020 now, so there are so many new great options out there to give us users a better look and feel. I was never a "if it ain't broke, don't fix it" person. I've always been a "What can I do to enhance user experience." I suppose that comes from my career though, lol.
something i often tell folks asking for advice on their aquarium problems..
" The more you mess with it , the more you mess it up . "
not to mention that changing something just to suit one or two people just don't work.
As someone who just joined, and a web developer myself, I understand the idea of "if it's not broken don't fix it," but there is something that really needs to be addressed.
It's extremely concerning that passwords are being stored in plain text. How do I know this? Because if you click "Forgot my password" it will send it to you. This should not be possible with properly stored passwords; the website should instead send you a link to reset your password. They should be salted+hashed, and both stored. Not the password itself. In this case, if the database is compromised, the attacker will not have a list of passwords. As it stands, if compromised and someone made the mistake of re-using the password they use on other sites, the attackers now have access to those other accounts, because they have the password itself. This is just bad, to put it bluntly.
The signup/login (or rather how the concept of being logged in doesn't actually exist...) user experience is janky all around and could definitely use a rework, but it's usable. The lack of proper security on the other hand is unacceptable.
From a legal standpoint, I believe Aquabid is actually out of compliance with the GDPR, and as such should be inaccessible in Europe. See Article 5(1)(f) and Article 32.
Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research … Continue reading Art. 5 GDPR – Principles relating to processing of personal data
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level … Continue reading Art. 32 GDPR – Security of processing
All due respect, it's not 1999 anymore. At the very least there needs to be a very clear notice that re-using a password on this site risks compromising your account on every other website that password is used for. You really shouldn't reuse them anyway, but we all know people do.
It's probably also worth mentioning that every email I've received from the site has gotten caught in Gmail's spam filtering. Just a lot of red flags that the developer / sysadmin either doesn't know or doesn't care about security.
It's probably also worth mentioning that every email I've received from the site has gotten caught in Gmail's spam filtering. Just a lot of red flags that the developer / sysadmin either doesn't know or doesn't care about security.
Create a filter in your Gmail account to whitelist emails from AquaBid.com.
Click the cog icon in the top-right corner, and then Settings
Click on Filters and then Create a new filter
Either
enter the domain aquabid.com to whitelist in the From field or
enter the email address [email protected] to whitelist in the To field
Click Create filter with this search
In the box headed When a message arrives that matches this search select Never send it to spam
As someone who just joined, and a web developer myself, I understand the idea of "if it's not broken don't fix it," but there is something that really needs to be addressed.
It's extremely concerning that passwords are being stored in plain text. How do I know this? Because if you click "Forgot my password" it will send it to you. This should not be possible with properly stored passwords; the website should instead send you a link to reset your password. They should be salted+hashed, and both stored. Not the password itself. In this case, if the database is compromised, the attacker will not have a list of passwords. As it stands, if compromised and someone made the mistake of re-using the password they use on other sites, the attackers now have access to those other accounts, because they have the password itself. This is just bad, to put it bluntly.
The signup/login (or rather how the concept of being logged in doesn't actually exist...) user experience is janky all around and could definitely use a rework, but it's usable. The lack of proper security on the other hand is unacceptable.
From a legal standpoint, I believe Aquabid is actually out of compliance with the GDPR, and as such should be inaccessible in Europe. See Article 5(1)(f) and Article 32.
Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research … Continue reading Art. 5 GDPR – Principles relating to processing of personal data
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level … Continue reading Art. 32 GDPR – Security of processing
First, there is no single database of accounts.
AquaBid.com sets your password initially. I can not control that someone resets it to something they use elsewhere. I can add a statement on the change password page.
No payment information is in an account. It is your address which for most people can be easily found online. An attacker could do the same damage with their own account as with someones account. Don't get me wrong, I understand they need for security. Technically, I could remove everyone's address and make them send it to the other party after winning an auction which I don't think anyone would like.
I could create a "reset" password option with encryption.
I don't want to create a log in. I get enough emails that my child accidentally purchased a fish. The kid accidentally put in their username, password and bid amount. They reviewed the bid page and clicked again. Yes, people can store their username and password in their browser to auto fill but that it up to them.
Comment