HTTPS?

[freedomlives]

It would be more secure of TBN used HTTPS, which is now free and easy thanks to "Let's Encrypt" service. Getting Started - Let's Encrypt - Free SSL/TLS Certificates
Probably a lot of users use the same or similar password and username for TBN as for more important services like email, online banking, etc. (bad practice, but its what most internet users still do). Their password is then getting transmitted plaintext over the internet for any hacker to intercept.

 

[MikeFarm]

Hi all

Yes it would be more secure for users if they use the same password for a tractor forum as their banking. On the other hand the owner of this forum isn't our mum doing our washing for us. How far does one expect other people to take responsibility for our own actions? I'm sure quite a few users here are against a "nanny state". If users use the same password for this site and other more security critical sites then they might need to consider the possible consequences and change their behavior.

freedomlives, yes it would be better but it's more work for the maintainer of this site and users just need to use a separate password.

I run a dozen websites and use I Lets Encrypt for several of those sites. It's free and its had an amazing uptake and has done a huge amount to raise awareness of moving to https for, in the long term, all sites. At present though it needs to be renewed every three months. If something goes wrong on the renewal then this site would be down.

Mike

 

[freedomlives]

Of course just because all the sites one uses have https encryption isn't justification for using the same password-- the site's password database could still be hacked, as has been seen with even huge sites. It was just one reason off the top of my head. The site owner should have as a primary concern that none of his users get their passwords to his site intercepted-- at the very least to prevent spam posts on forums, possible time lost dealing with problem, etc. Then there is also the privacy aspect-- to protect users both from someone reading their PMs as well as being able to track which topics they are looking at. Granted the level of privacy users would want for their communications about tractors and equipment is probably low.

Do you not set up a cron job to run 'certbot renew' daily? I have Let's Encrypt set up for all of the sites I manage, no matter how trivial. For the first site, given the need to install certbot, read through documentation, it probably took me an hour. After that, it is not even an extra five minutes for each new site. In a year or two of using it the renewals have all been automatic. Only recently when I changed a domain name for one of the certificates, I got an email reminder that the old certificate would expire in 19 days. However, this was due to the way Let's Encrypt works-- the old certificate was just for Example Domain, the new one added example.com, since the old certificate with just Example Domain wasn't getting renewed, it warns about expiration.

So if something would go wrong with renewal you get warned by email almost three weeks ahead of time. And probably the only thing that would cause a probably with renewal is if the cron daemon crashed.

 

[freedomlives]

As far as "nanny state" like practices, I think that term is more applicable to the password creation stage of registration on many sites. It is not the best strategy, but for those who don't use a password manager, picking one password for all the sites that aren't important is one approach. And it is a total nuisance when you've picked out a password, using a combination of letters, numbers, punctuation, and for some utterly trivial website the password is rejected because it somehow doesn't meet the site administrators' idea of what is a secure enough password.

 

[MikeFarm]

Hi

> picking one password for all the sites that aren't important is one approach.
Thats a good system that I also use.

I do not trust online passwords managers. I think the idea that you trust any online website for your passwords is inherently a bad idea. Lastpass has been hacked twice already.

> for some utterly trivial website the password is rejected because it somehow
> doesn't meet the site administrators' idea of what is a secure enough password.
Yes thats very annoying. Some of the sites require such a complex password I have to write it on a postit note and stick it onto the screen ;-)

Mike