Removing the maxlength=”20″ restriction on password fields allows longer passwords without a problem (I’m actually unsure why that’s there in the first place—it doesn’t actually prevent a malicious actor from sending a 1 GB password, as it’s a client-side check).
Good to know. I hadn’t actually bothered to check; I just used a unique password and email address as a matter of course—but I’m glad anyhow. Of course, that doesn’t guarantee they’re storing the password verifier, but I certainly could go read the source myself and find out.
Of course, if I was actually concerned about the security of my account here, I wouldn’t use the site at all because it’s only available unencrypted. Given how easy and cheap (even free) it is to enable TLS these days, I’m honestly surprised this site not only defaults to plaintext but doesn’t support encryption at all. Intercepting network traffic is easy (promiscuous mode on open WiFi, run your own hotspot with an expected SSID, ARP spoofing, etc.)
The worrying questions have somewhat less worrying answers. Here is the cause of the length limit of 20 (in r2/r2/templates/login/html):
Removing the maxlength=”20″ restriction on password fields allows longer passwords without a problem (I’m actually unsure why that’s there in the first place—it doesn’t actually prevent a malicious actor from sending a 1 GB password, as it’s a client-side check).
Good to know. I hadn’t actually bothered to check; I just used a unique password and email address as a matter of course—but I’m glad anyhow. Of course, that doesn’t guarantee they’re storing the password verifier, but I certainly could go read the source myself and find out.
Of course, if I was actually concerned about the security of my account here, I wouldn’t use the site at all because it’s only available unencrypted. Given how easy and cheap (even free) it is to enable TLS these days, I’m honestly surprised this site not only defaults to plaintext but doesn’t support encryption at all. Intercepting network traffic is easy (promiscuous mode on open WiFi, run your own hotspot with an expected SSID, ARP spoofing, etc.)