Firefox neopets Log-in : Security Issues

[Angeló]

so this is new - whenever i log in to my side account on FireFox it tells me there may be security issues with the log-in process ... i clicked on it and i got this message :

Insecure password warning in Firefox

 

Firefox will display a lock icon with red strike-through in the address bar when a login page you’re viewing does not have a secure connection. This is to inform you that if you enter your password it could be stolen by eavesdroppers and attackers.

Starting in Firefox version 52, you will also see a warning message when you click inside the login box to enter a username or password.

 

What can I do if a login page is insecure?

If a login page for your favorite site is insecure, you can try and see if a secure version of the page exists by typing https:// before the url in the location bar. You can also try to contact the web administrator for the site and ask them to secure their connection.

Not recommended: You can also continue to log in to the website even if the connection is insecure, but do so at your own risk. If you do go this route, try to use a unique password or a password that you don’t also use for other important sites.

 

About insecure pages

Pages that need to transmit private information, such as credit cards, personal information and passwords, need to have a secure connection to help prevent attackers from stealing your information. (Tip: A secure connection will have "HTTPS" in the address bar, along with a green lock icon.)

Pages that don’t transmit any private information can have an unencrypted connection (HTTP). It is not advised to enter private information, such as passwords, on a web page that shows HTTP in the address bar. The information you enter can be stolen over this insecure connection.

 

IT Savvies what should i do ?? Should i be concerned for my account ?!!!!!

[jellysundae]

I've been getting this for quite some time. It freaked me out at first, but I guess it's something we just have to put up with until JS updates its security protocols?

I laughed at the bit that says

44 minutes ago, Angeló said:

You can also try to contact the web administrator for the site and ask them to secure their connection.

Like they should need asking that...

Let us consult the man who knows...

@Scoobert_Doo Are we safe?

[ladycanary]

I've been getting that message on Neo and other sites as well. I would assume Neo is no less secure than it ever was, so I just dismissed it as Firefox being goofy.

[Scoobert_Doo]

Neopets, since its beginnings, has never used "https://" (aka secure) for logging in. So, for Neopets, nothing has changed. @ladycanary is correct. And, yes, your login information is not secure. But, since it has been this way on Neopets, I wouldn't worry, too much, as long as you follow suggestions in paragraph 4.

Firefox, since version 52, released in March of this year, and Chrome, with version 56, released in February of this year, now warn about sites that don't use "https://" for login information. Firefox is more "visual" with their warnings, than Chrome. Firefox, also, will not "remember" login information (user name, password) for sites that don't use "https://". Their (Firefox, Chrome) intent is make people aware that their login information isn't secure, and for them to ask the website to use "https://" for secure logins - ie, if enough people ask/complain, then maybe it will convince the website to do so. Please note, too, with Firefox, you may see the same warning when you access areas on Neopets that use a PIN, if you have enabled that feature.

When you login into Neopets, your login information, such as user name and password is sent in "clear text" - unencrypted. Meaning, if your user name is "John Doe" and your password is "water", it is sent to the website just like you typed it. If a "bad guy" is on the same network as you, and is using packet "sniffing" software, they would be able to see that you go to Neopets and know that your login is "John Doe" and your password is "water".

Best practice is to create a user name and password that you ONLY use on Neopets and no other website. If your account is ever hacked, the "bad guy" would not be able to access any of your other accounts, well, hopefully not. Also, make sure you use a password that is at least 8 characters long (the longer, the better) and use a combination of upper case, lower case, numbers, and special characters. Even better, come up with a sentence and use the first letter of each word for your password. The sentence doesn't have to make sense, just only to you. So, you can make it silly or wacky as you want. For example, if I use the sentence "The quick brown fox jumped over the lazy dog.", my password might look like this: Tq$fJ0#@

Even though Neopets is not secure, using a complex password is still a good idea. Changing it every so often, is a good idea, too. It would still make it hard to for some to "guess" your password.

 

 

 

[Yuiina]

I've noticed that since I created my sideaccounts but since noone "unknow" uses my internet I don't think I've reasons to be worried about? (correct me if I am wrong) 

Thank you @Scoobert_Doo what would we do without you?

[Angeló]

that's a great answer Scoobert

you know i'm asking because since i lost 3 side accounts for over a month and a half over the security breech that happened a while ago - i've become super cautious and borderline paranoid ... 

my passwords are all crazy difficult now ... 

LETS ALL SEND TICKETS TO JS / TNT DEMANDING HTTPS

[jellysundae]

1 hour ago, Angeló said:

that's a great answer Scoobert

you know i'm asking because since i lost 3 side accounts for over a month and a half over the security breech that happened a while ago - i've become super cautious and borderline paranoid ... 

my passwords are all crazy difficult now ... 

LETS ALL SEND TICKETS TO JS / TNT DEMANDING HTTPS

Might be a good editorial question to send in?

Actually I'd have thought it was a VERY good editorial question to send in.

[acmerasta]

Thanks Scoobert. I lost my first account due to hacking and never got it back. Took me a while to come back and then when I did it wasn't consistent for a long time. I changed how I behaved on Neo too... I didn't join a guild again until recently, I stopped interacting on the boards for a long time and just avoided being very social. I was even here for a long time before I actually started actively participating. I just didn't feel safe. I was watching some testimonials on youtube with some neo players confessing to cheating and hacking people's accounts. It's appalling.

For all the censoring and rules that TNT has, something as simple as employing the HTTPS protocol to protect users hasn't seemed to occur to them or they don't really care that much. It might even make their jobs a bit easier as there would be less complaints of hacking and frozen accounts and investigations. Maybe they'd then have time to run more site events or fix Key Quest.....  As complex as you make the password on Neo though, the fact that it's not being encrypted negates that complexity. 

I'm with Angelo and Jelly... lets send in questions/tickets asking for HTTPS to be used.

[Angeló]

Thanks for submitting a question to the editorial. Each week we choose the most interesting, frequently asked or just plain bizarre submissions. Make sure you check the next editorial as your question could be there :)

[jellysundae]

Good on ya, @Angeló 

I honestly cannot BELIEVE passwords aren't encrypted, I thought they were on every site.

Hmm, that explains why - in the questions they ask about lost accounts - why they ask for past passwords. I wondered about that before because I assumed they were encrypted so they'd have no ability to see what it was so why ask, now I know otherwise!

[acmerasta]

Thanks for submitting a question to the editorial. Each week we choose the most interesting, frequently asked or just plain bizarre submissions. Make sure you check the next editorial as your question could be there :)

Question submitted! Maybe we should submit every week until we get an answer.... Ok so I'm really about to go all Susan B Anthony on this and suggest a whole campaign of sustained petitions and advocacy and active democracy   *dusts off soap box*

[Angeló]

I went ahead and started reading on http and https ... in order to migrate to https you need to buy a license and install it ... shouldn't too hard for a huge company like neopets / js

HTTP to HTTPS Migration Index

1. Buying an SSL Certificate or Using Let’s Encrypt
2. Installing your SSL Certificate
3. Update all Hard-coded Links to HTTPS
4. Update Custom JS, AJAX Libraries to HTTPS
5. Add 301 Redirects to New HTTPS URLs
6. Update your robots.txt File
7. Install SSL Certificate on CDN
8. Update Origin URL on CDN
9. Enable HTTP/2 Support on CDN
10. Update all Hard-coded CDN Links to HTTPS
11. SEO: Google Search Console, Sitemaps, Fetch
12. SEO: Resubmit Your Disavow File
13. Update Your Google Analytics Profile URL
14. Misc Updates

[acmerasta]

I'm wondering if they just don't want to pay for it? You are supposed to renew your certificates annually and of course keep them updated with the latest security protocols etc.