Runbox login & password security

[kijinbear]

I have a few questions about how Runbox handles logins and passwords.

The login form at runbox.com seems to default to an insecure login (plain HTTP) unless the user explicitly selects the "Secure" option, at which point the page reloads as secure.runbox.com (HTTPS). Is there any reason why secure login is not turned on by default? Every reputable e-mail provider these days uses secure login by default, and many companies use HTTPS for their entire web site so that the login form itself is delivered securely.

Even in 2012, there seems to be a worry that some users with extremely old computers might not be able to use HTTPS. But those users can always be told to click around a couple of times to get to an insecure login page. FM does this.

Another thing I noticed while going through the Runbox wiki is that there's a rather odd password policy. This page, for example, lists a bunch of special characters that can be used in a password, but the list doesn't contain characters such as ', ", ^, #, @, $, `, [, ], etc. A lot of passwords that I generate with LastPass would be disallowed under such a scheme. (I just generated a random password and it contains a dollar sign as well as a caret.) In addition, banning certain characters in passwords reeks of an insecure database design. Policies like this are typically employed by companies that store passwords in plain text and who are not properly escaping strings to guard against SQL injection attacks.

Moreover, the same page, as well as this page, suggests that it is possible to retrieve one's password instead of simply resetting it. But if customer passwords were stored securely, it should not be possible to retrieve current passwords, only reset them. This makes me suspect that Runbox is storing passwords in a way that is just as insecure as how FM does it, if not even more insecure, because at least FM doesn't allow you to retrieve your own password by e-mail.

Of course, since these points are based on my casual observation of a few web pages that might be outdated, I could be mistaken. But a lot of Runbox staff seem to be active on this foum, so I would like to see some clarifications about Runbox's current policy on login & password security and whether it plans to roll out any improvements in the near future.

Thanks.

[kijinbear]

Update: I signed up for a trial account today.

1. The signup form, as well as everything after the signup, is served over unencrypted HTTP by default. That includes the form that takes my initial password. But payment details are not handled during this process, so at least that should be safe.

2. I get an "invalid password" error if I try to change my password to anything that contains the above special characters.

3. The password retrieval page sends me my password in plain text.

No bueno!

Edit: Changed my password. Webmail and IMAP accepted my new password immediately, but SMTP at secure.runbox.com (port 465, SSL) took about 15 minutes before it would accept my new password. Urgh.

[William9]

It's difficult for me to believe that passwords are sent in the clear.

[kijinbear]

Quote:

Originally Posted by William9

It's difficult for me to believe that passwords are sent in the clear.

Seeing is believing. Sign up and thou shalt know the truth.

I'm also having trouble copying over my IMAP folders, because some of my folder names contain an apostrophe (single quote). This is the first time I've encountered an e-mail service provider that doesn't allow apostrophes in folder names. (FM's web interface can't create folder names containing apostrophes, but they work just fine once I create them via IMAP.) It's as if somebody at Runbox is on a crusade against special characters. Again, this looks like a half-baked attempt at preventing injection attacks.

Finally, password length is limited to 16 characters. What is this, Hotmail?

I thought Runbox might be a worthy replacement for FM, but I'm beginning to feel rather disappointed with their lack of basic security precautions.

[Geir]

We understand your concerns, and we are currently working to improve both the storage and transmission of user data. We won't detail exactly how we store these data or why, but you are incorrect in your assumption regarding the escaping of input strings.

Passwords can be up to 64 characters in length (what you refer to is probably an outdated text that has now been corrected), and while randomly generated passwords can work well for some users, others might want to use these tips on choosing, remembering, and protecting a password.

Since the employee buy-out and server move last summer we have worked hard to catch up on the backlog of hardware upgrades we had accumulated, especially with regards to redundancy and security. We have spent a lot of time rewriting our web application for Apache 2, and we're now getting close to deploying the new Runbox 6 in a closed beta. We will probably be forcing SSL on the new web servers on which Runbox 6 will run, and we will be much better positioned to further improve application and database security on the new platform.

- Geir

[kijinbear]

Quote:

Originally Posted by Geir

you are incorrect in your assumption regarding the escaping of input strings.

That's good to know.

Quote:

Originally Posted by Geir

Passwords can be up to 64 characters in length (what you refer to is probably an outdated text that has now been corrected),

This is what I'm seeing. Am I using the wrong webmail interface? When I try to enter anything above 16 characters, I get a "password too long" error.

Quote:

Originally Posted by Geir

and while randomly generated passwords can work well for some users, others might want to use these tips on choosing, remembering, and protecting a password.

I normally don't use randomly generated passwords with e-mail services, because I don't want to lose access to my e-mail in case my password manager goes down. But I was forced to use a random password in this case because my usual formula for producing strong and memorable passwords results in a 20+ char string containing some of the forbidden characters. I see no reason why I shouldn't be permitted to use something like "A^Common$PREfix@)))some_variation_of_service_name(((". Anything between 0x20 and 0x7E should be fair game. Sending me my password in plain text also makes me very uncomfortable.

Quote:

Originally Posted by Geir

We will probably be forcing SSL on the new web servers on which Runbox 6 will run, and we will be much better positioned to further improve application and database security on the new platform.

That sounds great. I hope the new version is more permissive in what kind of characters I can use in my passwords and folder names. I really like the fact that you are owned by employees and make it an explicit goal to support free software, but little annoyances (like not being able to have a folder with my university's name in it) tend to add up to a rather negative first impression.

[Geir]

Quote:

Originally Posted by kijinbear

This is what I'm seeing. Am I using the wrong webmail interface? When I try to enter anything above 16 characters, I get a "password too long" error.

Ah, I thought you were referring to the signup page which does allow passwords up to 64 characters in length (despite what it said until recently). We have fixed the password length issue on the Account screen in the upcoming Runbox 6, among other improvements both to Main Account and Sub-account management.

By the way, we have now changed the front page at http://www.runbox.com to send login requests to https://secure.runbox.com so that login details are never sent in the clear.

- Geir

[17pm]

What about the passwords?

I mean, are they stored in plain text?

[17pm]

Quote:

Originally Posted by 17pm

What about the passwords?

I mean, are they stored in plain text?

So, I contacted runbox support and asked them if they store passwords in plain text. They told me they coldn't tell, "for security reasons". Well, I'll assume (rightfully so, I think) they store it in plain text.

Also, if one checks this and this one can read:

"We see that many users choose passwords that are too simple, perhaps thinking that no one will try to gain access to their account, or that they don’t have anything to hide anyway." (First link)

and

"Never share your password with anyone. Runbox Support might ask you for the first or last character of your password to verify your identity, but we will never ask you to provide the whole password." (Second link)

I think those are hints that they do, indeed, store them in plain text.

I'd like some discussion on this please. I think this is a major turning point for some people, such as myself.

[kijinbear]

I opened this thread 16 months ago. A lot of things may have changed since then, especially since Runbox seems to have been working hard on their new backend.

For example, the "forgot password?" function no longer sends your password in plain text. Instead, it sends you a link to reset your password. So the most obvious evidence of plain-text password storage is gone.

[17pm]

Quote:

Originally Posted by kijinbear

I opened this thread 16 months ago. A lot of things may have changed since then, especially since Runbox seems to have been working hard on their new backend.

For example, the "forgot password?" function no longer sends your password in plain text. Instead, it sends you a link to reset your password. So the most obvious evidence of plain-text password storage is gone.

Oh, I did not try the "forgot password" function. Good to know it no longer sends pwd's in plain text, thanks for letting us know.

Also, I know this is your thread and that it's an old one but I didn't feel like creating a new one.