|
Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc. |
|
Thread Tools |
30 May 2012, 05:17 PM | #1 |
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
Runbox login & password security
I have a few questions about how Runbox handles logins and passwords.
The login form at runbox.com seems to default to an insecure login (plain HTTP) unless the user explicitly selects the "Secure" option, at which point the page reloads as secure.runbox.com (HTTPS). Is there any reason why secure login is not turned on by default? Every reputable e-mail provider these days uses secure login by default, and many companies use HTTPS for their entire web site so that the login form itself is delivered securely. Even in 2012, there seems to be a worry that some users with extremely old computers might not be able to use HTTPS. But those users can always be told to click around a couple of times to get to an insecure login page. FM does this. Another thing I noticed while going through the Runbox wiki is that there's a rather odd password policy. This page, for example, lists a bunch of special characters that can be used in a password, but the list doesn't contain characters such as ', ", ^, #, @, $, `, [, ], etc. A lot of passwords that I generate with LastPass would be disallowed under such a scheme. (I just generated a random password and it contains a dollar sign as well as a caret.) In addition, banning certain characters in passwords reeks of an insecure database design. Policies like this are typically employed by companies that store passwords in plain text and who are not properly escaping strings to guard against SQL injection attacks. Moreover, the same page, as well as this page, suggests that it is possible to retrieve one's password instead of simply resetting it. But if customer passwords were stored securely, it should not be possible to retrieve current passwords, only reset them. This makes me suspect that Runbox is storing passwords in a way that is just as insecure as how FM does it, if not even more insecure, because at least FM doesn't allow you to retrieve your own password by e-mail. Of course, since these points are based on my casual observation of a few web pages that might be outdated, I could be mistaken. But a lot of Runbox staff seem to be active on this foum, so I would like to see some clarifications about Runbox's current policy on login & password security and whether it plans to roll out any improvements in the near future. Thanks. Last edited by kijinbear : 30 May 2012 at 05:22 PM. |
31 May 2012, 02:29 PM | #2 |
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
Update: I signed up for a trial account today.
1. The signup form, as well as everything after the signup, is served over unencrypted HTTP by default. That includes the form that takes my initial password. But payment details are not handled during this process, so at least that should be safe. 2. I get an "invalid password" error if I try to change my password to anything that contains the above special characters. 3. The password retrieval page sends me my password in plain text. No bueno! Edit: Changed my password. Webmail and IMAP accepted my new password immediately, but SMTP at secure.runbox.com (port 465, SSL) took about 15 minutes before it would accept my new password. Urgh. Last edited by kijinbear : 31 May 2012 at 02:40 PM. |
31 May 2012, 03:06 PM | #3 |
The "e" in e-mail
Join Date: Nov 2005
Location: San Francisco
Posts: 2,281
|
It's difficult for me to believe that passwords are sent in the clear.
|
1 Jun 2012, 06:23 AM | #4 | |
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
Quote:
I'm also having trouble copying over my IMAP folders, because some of my folder names contain an apostrophe (single quote). This is the first time I've encountered an e-mail service provider that doesn't allow apostrophes in folder names. (FM's web interface can't create folder names containing apostrophes, but they work just fine once I create them via IMAP.) It's as if somebody at Runbox is on a crusade against special characters. Again, this looks like a half-baked attempt at preventing injection attacks. Finally, password length is limited to 16 characters. What is this, Hotmail? I thought Runbox might be a worthy replacement for FM, but I'm beginning to feel rather disappointed with their lack of basic security precautions. |
|
1 Jun 2012, 05:25 PM | #5 |
The "e" in e-mail
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938
Representative of:
Runbox.com |
We understand your concerns, and we are currently working to improve both the storage and transmission of user data. We won't detail exactly how we store these data or why, but you are incorrect in your assumption regarding the escaping of input strings.
Passwords can be up to 64 characters in length (what you refer to is probably an outdated text that has now been corrected), and while randomly generated passwords can work well for some users, others might want to use these tips on choosing, remembering, and protecting a password. Since the employee buy-out and server move last summer we have worked hard to catch up on the backlog of hardware upgrades we had accumulated, especially with regards to redundancy and security. We have spent a lot of time rewriting our web application for Apache 2, and we're now getting close to deploying the new Runbox 6 in a closed beta. We will probably be forcing SSL on the new web servers on which Runbox 6 will run, and we will be much better positioned to further improve application and database security on the new platform. - Geir |
1 Jun 2012, 11:51 PM | #6 | |||
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
Quote:
Quote:
Quote:
That sounds great. I hope the new version is more permissive in what kind of characters I can use in my passwords and folder names. I really like the fact that you are owned by employees and make it an explicit goal to support free software, but little annoyances (like not being able to have a folder with my university's name in it) tend to add up to a rather negative first impression. |
|||
3 Jun 2012, 05:10 PM | #7 | |
The "e" in e-mail
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938
Representative of:
Runbox.com |
Quote:
By the way, we have now changed the front page at http://www.runbox.com to send login requests to https://secure.runbox.com so that login details are never sent in the clear. - Geir |
|
15 Sep 2013, 01:53 AM | #8 |
Cornerstone of the Community
Join Date: Sep 2013
Posts: 536
|
What about the passwords?
I mean, are they stored in plain text? |
16 Sep 2013, 04:04 PM | #9 |
Cornerstone of the Community
Join Date: Sep 2013
Posts: 536
|
So, I contacted runbox support and asked them if they store passwords in plain text. They told me they coldn't tell, "for security reasons". Well, I'll assume (rightfully so, I think) they store it in plain text.
Also, if one checks this and this one can read: "We see that many users choose passwords that are too simple, perhaps thinking that no one will try to gain access to their account, or that they don’t have anything to hide anyway." (First link) and "Never share your password with anyone. Runbox Support might ask you for the first or last character of your password to verify your identity, but we will never ask you to provide the whole password." (Second link) I think those are hints that they do, indeed, store them in plain text. I'd like some discussion on this please. I think this is a major turning point for some people, such as myself. |
16 Sep 2013, 04:29 PM | #10 |
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
I opened this thread 16 months ago. A lot of things may have changed since then, especially since Runbox seems to have been working hard on their new backend.
For example, the "forgot password?" function no longer sends your password in plain text. Instead, it sends you a link to reset your password. So the most obvious evidence of plain-text password storage is gone. |
16 Sep 2013, 05:10 PM | #11 | |
Cornerstone of the Community
Join Date: Sep 2013
Posts: 536
|
Quote:
Also, I know this is your thread and that it's an old one but I didn't feel like creating a new one. Last edited by 17pm : 16 Sep 2013 at 05:16 PM. |
|
Thread Tools | |
|
|