Louis Kessler’s Behold Blog

Article warning: If you are paranoid about everything, you should avoid reading this article or it may ruin the Internet for you.

I started converting the Behold Forum over to bbPress. The first thing I had to do was convert all the registered users. To my horror, I discovered that my old Forum stored the passwords as plain text.

That actually was terrible for three reasons. First, if I was a dishonest guy, I could take your password, assume you used the same one at other sites you use, and login as you and do malicious things. Second, since I’m honest and don’t even want to know what your password is, if there was someone working for me who had access to the database, they might be dishonest and use your password. Third, since I don’t have anyone working for me, if there was a hacker out there who could get into my database, they could use your password.

So I’m not talking here about the “quality” of your password. It doesn’t matter if you use a simple 3 letter password, or a complex 29 character password with lower and uppercase and numbers and special characters. If someone can find it out, it doesn’t matter how well crafted it is.

WordPress and bbPress are different. They do not store the password in the database. Instead they “hash” the password using the MD5 algorithm and store that hashed value. This is not encryption which makes the password retrievable again. This is a hash which hides the password from everyone, including the owners of the database.

Now I know there have been vulnerabilities found to MD5 and WordPress and others are working to block them, but even so, hashing the password is infinitely safer than leaving it in plain text for the three reasons above.

So that got me wondering. I have about a dozen different passwords at several hundred different sites I use. I wonder how many of them are not hashed but are insecure in plain text in the databases.

In most cases, there actually is an easy way of finding out. Go to a site you’ve registered with and click on the “lost my password” link. If they email you back your actual password, then they are storing it in text or in some accessible way. If they instead send you a message with a new random password and say your password is reset, then they probably don’t have access to it, and all they can do is give you a new one.

Unfortunately, you can’t find this out until you’ve already registered for the site. For people paranoid about this, I guess the trick would be to use a dummy e-mail address and dummy password and register with that, do a lost password request and see what they send back. Then you can decide whether to trust them and register for real.

Credit card information could have the same problem. You can’t do the same thing here, since I’ve never seen a “lost my credit card information” link on a site. You can follow the policy of only giving your credit card to companies you totally trust. That’s why PayPal is so popular. You can buy from thousands of companies, but PayPal will be the only one with your number. But do you trust PayPal? I’d trust them more than the various kids working at the corner gas station who get my card number all the time. This is not really a worry though, because credit cards have lots of levels of security and are actually very safe. The credit card companies will protect you from credit card fraud.

But giving out passwords you use can be much worse. What if your userid and password were the same for your PayPal account? That could be very bad.

For those of you who signed up to my Behold Forum, I apologise. I didn’t know about this before. I’m transferring your account and an MD5 hash of your current password to the new bbPress forum I am creating, and they’ll now be safe.

Last night I managed to install Vanilla and using about a dozen different articles from the web, integrated it correctly with WordPress. I was very pleased.

Then this morning, I found that I had missed that fact that the Open Source groups using Wordpress have been working on their own light Vanilla-like Forum software called bbPress. Researching it, and looking at some implementations of bbPress, I saw no advantages anymore to stay with Vanilla. It’s implementation was different than WordPress, and I’d have to learn and maintain 2 diffenent methods of adding themes, inserting plugins and setting up the pages. With bbPress, I’d be talking basically the same language as WordPress. Even though bbPress is only at Version 0.8.3.1 (even Behold is further!), right now it seems to have everything I want.

It only took me an hour to get rid of Vanilla and integrate bbPress instead. Next I’ll customize it to my style and making it exactly what I want. This part’s actually a lot of fun.

Happy New Year everyone! I’ve worked hard and really customized Wordpress to look and work exactly as I’d like. It’s ready to go as soon as I get the rest of the site up.

One of the next tasks was to replace the mailing software that I was using to send out my Behold News to people who had purchased or downloaded Behold. You might have noticed that you didn’t receive a mailing for my last version in November. I didn’t send one out because I had problems back in August with my mailings. My software kept shutting down every few hundred people and I’d have to restart it quite a few times. I wasn’t sure if everyone had received it, and I’m sure some people received it twice. I didn’t want that to happen again, so I didn’t send one out in November.
 

I was thinking of switching to phpList to be my mailing program. But in the last couple of days, I found out the real problem and phpList wouldn’t be any better than Spd E-Letter would.
 

There are three ways of sending Mass Mailings:

1. From a program running on your website. This is what Spd E-Letter and phpList do. What I discovered the trouble here is that webhosts limit the number of mailings you are allowed to make in an hour. This is to prevent spamming. My number of mailings is now getting large enough that it would take quite a number of hours to send them all out at the limits they allow. If I had 10 times the list size, it would take days. So this is no longer a solution for me for the future.
    
2. From a program running on your computer. Unfortunately this has the same problem. The limit instead is imposed by the ISP who you get Internet service from.
    
3. From a company on the web that provides e-mailing services. This appears to be my only option. My research indicates the way to go is to stick to one of the top two: AWeber or GetResponse

So at least for now, I don’t have to worry about trying to implement phpList along with everything else I’m doing to get the new site up. But what I may do when I get my next version of Behold out, is try out both AWeber and GetResponse each with half my people and see which I like better.

But next it’s off to Vanilla and finishing up the rest of my “new” site.