Ask Mark Barnett he owns it.

if it ain't broke , don't fix it. I happen to like it as it is...

I was just curious. We're in 2020 now, so there are so many new great options out there to give us users a better look and feel. I was never a "if it ain't broke, don't fix it" person. I've always been a "What can I do to enhance user experience." I suppose that comes from my career though, lol.

Not a big deal, I was just curious.

somtimes simple is better= I happen to be a if it aint broke dont mess with it LOL

I agree if it's not broken leave it alone, plain and simple.

something i often tell folks asking for advice on their aquarium problems..
" The more you mess with it , the more you mess it up . "
not to mention that changing something just to suit one or two people just don't work.

As someone who just joined, and a web developer myself, I understand the idea of "if it's not broken don't fix it," but there is something that really needs to be addressed.

It's extremely concerning that passwords are being stored in plain text. How do I know this? Because if you click "Forgot my password" it will send it to you. This should not be possible with properly stored passwords; the website should instead send you a link to reset your password. They should be salted+hashed, and both stored. Not the password itself. In this case, if the database is compromised, the attacker will not have a list of passwords. As it stands, if compromised and someone made the mistake of re-using the password they use on other sites, the attackers now have access to those other accounts, because they have the password itself. This is just bad, to put it bluntly.

The signup/login (or rather how the concept of being logged in doesn't actually exist...) user experience is janky all around and could definitely use a rework, but it's usable. The lack of proper security on the other hand is unacceptable.

From a legal standpoint, I believe Aquabid is actually out of compliance with the GDPR, and as such should be inaccessible in Europe. See Article 5(1)(f) and Article 32.

If it's deemed to be a concern Mark our fearless leader will handle it.

All due respect, it's not 1999 anymore. At the very least there needs to be a very clear notice that re-using a password on this site risks compromising your account on every other website that password is used for. You really shouldn't reuse them anyway, but we all know people do.

It's probably also worth mentioning that every email I've received from the site has gotten caught in Gmail's spam filtering. Just a lot of red flags that the developer / sysadmin either doesn't know or doesn't care about security.

Yeah i read that gmail was having problems like that.

Create a filter in your Gmail account to whitelist emails from AquaBid.com.

1. Click the cog icon in the top-right corner, and then Settings
2. Click on Filters and then Create a new filter
3. Either
   • enter the domain aquabid.com to whitelist in the From field or
   • enter the email address [email protected] to whitelist in the To field
4. Click Create filter with this search
5. In the box headed When a message arrives that matches this search select Never send it to spam
6. Click the Create filter button

First, there is no single database of accounts.

AquaBid.com sets your password initially. I can not control that someone resets it to something they use elsewhere. I can add a statement on the change password page.

No payment information is in an account. It is your address which for most people can be easily found online. An attacker could do the same damage with their own account as with someones account. Don't get me wrong, I understand they need for security. Technically, I could remove everyone's address and make them send it to the other party after winning an auction which I don't think anyone would like.

I could create a "reset" password option with encryption.

I don't want to create a log in. I get enough emails that my child accidentally purchased a fish. The kid accidentally put in their username, password and bid amount. They reviewed the bid page and clicked again. Yes, people can store their username and password in their browser to auto fill but that it up to them.

Seems you got an answer caseyWebb so that being said If it ain't broke leave it alone or however one wishes to say it.