RISC OS Open: Forum: Logging into ROOL

Oct 19, 2014 1:43am

Tennant Stuart (2505) 122 posts

How come ROOL makes me type in my loooooooooong email address and password every time I log in?

That doesn’t happen with other forums.

Oct 19, 2014 9:06am

Rick Murray (539) 13840 posts

That doesn’t happen with other forums.

Other forums probably use cookies and a “keep me signed in” option (though sometimes this is automatic).

While this is a convenience, it is also crappy “security”, especially if you access said forum from any public arena or have a computer that others could access. You will notice that ROOL doesn’t make personal information available on the account control panel (not that they have much info).
Somebody, somewhere, is taking security here a bit more seriously than a lot of sites…

Oct 19, 2014 9:20am

Steve Fryatt (216) 2105 posts

How come ROOL makes me type in my loooooooooong email address and password every time I log in?

You mean you don’t use a browser that remembers details like this if you ask it to?

Oct 19, 2014 9:36am

Rick Murray (539) 13840 posts

You mean you don’t use a browser that remembers details like this if you ask it to?

Because he asked the question, I’m assuming he is using NetSurf that does not remember.

All my other devices (Android, iOS, Firefox…) do remember. It is useful but dangerous. Useful that I can get in to my favourite sites easily, but dangerous that I only remember the passwords to maybe three or four of them… ;-)

Oct 19, 2014 10:03am

Steve Pampling (1551) 8170 posts

but dangerous that I only remember the passwords to maybe three or four of them

True, not so secure with various utilities around.

Oh, you mean if you lose the profile content you lose the password because you can’t remember – in which case pull up a profile backup file, load it, run the utility and make a note somewhere (in cryptic form¹ if you like) and then work through changing them to something easy to remember and hard to crack (not that Uppercase, lowercase and number stuff)

¹ e.g. This Is the Road to Hell ==> T1tRtH (easy to remember harder to crack)

Oct 20, 2014 1:22am

Tennant Stuart (2505) 122 posts

So, basically you guys are saying that Risc OS is crap?

Or just Netsurf?

While [cookies are] a convenience, it is also crappy “security”, especially if you access said forum from any public arena or have a computer that others could access.

Yeah, but I’m not, and perfectly typing in a long email address every single time is a huge pain.

Oct 20, 2014 7:59am

Steve Pampling (1551) 8170 posts

So, basically you guys are saying that Risc OS is crap?
Or just Netsurf?

Netsurf is missing some features. Although not remembering passwords could be seen as a security feature it does have.

Why not just keep a text file of the long email address and copy-paste into the user field?
Then type in your password…

Oct 20, 2014 11:58am

Rick Murray (539) 13840 posts

Not having a feature does not automatically make something “crap”.
Plus, the browser is not related to the operating system (we’re not Microsoft!).

Oct 20, 2014 12:50pm

Tennant Stuart (2505) 122 posts

Indeed so, but you told me how your other devices (Android, iOS, Firefox) were so much better. :)

Why not just keep a text file of the long email address and copy-paste into the user field?

Good idea, Steve, I’ve done that! :)

Oct 20, 2014 1:36pm

Chris Johnson (125) 825 posts

Why not use Ffiller by Kevin Wells. It works fine on the ROOL site. I use it, and very easy it is.

http://kevsoft.co.uk/

Oct 20, 2014 5:44pm

Steve Pampling (1551) 8170 posts

Good idea, Steve, I’ve done that!

I think Chris’s suggestion of Form Filler may be better.

As to the paste in bit – I work in IT, specifically networking, and extracting a text configuration file altering it and pasting into another device is not just common it’s pretty much the official method.

Oct 20, 2014 5:57pm

Kevin (224) 322 posts

Why not use Ffiller by Kevin Wells. It works fine on the ROOL site. I use it, and very easy it is.

http://kevsoft.co.uk/

Or Passman from the same site.

Oct 20, 2014 6:10pm

Steve Pampling (1551) 8170 posts

Or Passman from the same site.

I’d have said the same if the passwords were not stored in plain text format in a directory in Choices.

Oct 20, 2014 6:36pm

Rick Murray (539) 13840 posts

Indeed so, but you told me how your other devices (Android, iOS, Firefox) were so much better. :)

Better is relative. They are better in that they can remember passwords (and handle more scripting/etc) than NetSurf, however…

Android: The “stock browser” is old because it is Android v2.3.something and Android’s deplorable update mechanism is incapable of dealing with OS patches/updates without the carrier getting their grubby little mitts all over it – which they are generally extremely unwilling to do because it doesn’t benefit them (they’ve already sold you the phone…). It is basically a coin toss as to whether or not articles on TheRegister.co.uk will crash the browser (actually, it’s the crappy advertising but that’s the site that takes out my phone’s browser the most often).
Firefox is available for Android. It takes an eternity to do anything. I do not understand why, with a 1GHz dual core processor and something like half a GiB of RAM, this phone is sooooooo slow.

iOS: The Safari browser is lovely for general day to day internet requirements. It isn’t perfect, but it is nice looking, renders well, is responsive… unfortunately because iOS has no real concept of a filesystem (at least, not from the user PoV) it is not possible to download files. For that I need to use the Dolphin browser and “cheat” by downloading the file into Dolphin and then use “Open with…” to transfer the file into the other app; which takes a really long time (minutes if your file is measured in hundreds of megabytes – is it byte copying or something?).
I won’t be upgrading to iOS8, it doesn’t offer anything that impresses me enough to deal with the chaos of freeing up 5.3GB on a 16GiB device; plus losing the additional space iOS8 itself will claim for rubbish I really have no need for like the health kit stuff. Panoramic photos (that Android has done since forever) and a draggy-swipey keyboard (that Android has done since forever) are wishlist wants, but they alone don’t provide enough incentive. It would be nice if iOS understood garbage collection, or allowed you to access the underlying filesystem with iTunes, because deleting and reinstalling an app to claim ~300MB of space because the OS can’t keep track of scrap/lost files is pathetic in 2014. And why is my mail claiming a gigabyte? Don’t they understand expiry? I guess not, as even messages deleted manually fail to release space.
The mish-mash of GiB and GB is not an error. iOS uses GB. Sane people use GiB.

FireFox (Windows): The most capable (obviously) but it runs under Windows which has its own problems, plus it requires 2GiB in order to not crash every time I do anything with it. Of course, having BarTab look after 584 tabs (about 25 active, the rest inactive) might have bearing on this. I’m a real one for “open in a new tab” ‘cos I’ll take a look at it later. Later, however, is an undefined quantity and may be hours/days/weeks/months/years/lifetimes/eras/epochs in the future. :-)
I have not added service packs to XP since the end of 2012. Why? XP is stored on the 4GiB SSD ‘C:’ drive. Which is full. Everything has added its necessary rubbish to \Windows\System32 and patched so many big important things into \Documents and Settings that I actually had to do a filesystem hack with junction points (think: symlink) to be able to install that utter bloatware known as iTunes. The drive is full. Possibility of update – zero (put a bigger SSD in C:, the D: SSD vanishes – don’t ask me why, BIOS bug?).

tl;dr version: Just because something does something useful, it doesn’t mean it gets everything else right. And just because something doesn’t do this useful thing doesn’t automatically mean it is bad.

Oct 20, 2014 6:46pm

Rick Murray (539) 13840 posts

I’d have said the same if the passwords were not stored in plain text format in a directory in Choices.

Seriously? Even a child might have thought to at least ROT13 or some version of Caeser’s Cypher on them to obscure the passwords from being directly readable. Even something like write the passwords to a bit of memory, invert the bits, then record the hex values of each byte¹.
Weak, but it depends upon how readily the program offers up the passwords. Anything’s better than having it all in plain text.

Oh, wait. I’ve just had a thought. Maybe he wants to enhance your security, so he is ROT13ing the passwords twice just to be sure? 8-D

¹ But the first byte should be an encoded length count, or lots of FF FF FF at the end would be a dead giveaway.

Oct 20, 2014 7:21pm

Steve Pampling (1551) 8170 posts

Seriously? Even a child might have thought to at least ROT13

There was a swipe card access system at work 10+ years ago that swapped the top and bottom four bits of the ascii characters in the operator passwords.
Anyway, when I’d accessed the system as Admin and upped the access level of a couple of other accounts I moved on to enabling extra features.

Oct 20, 2014 7:32pm

Steve Pampling (1551) 8170 posts

Which is full. Everything has added its necessary rubbish to \Windows\System32

drop down to \windows check out the Uninistall items for all the patches you applied. Delete those and the matching .log files to clear some space. Modify the pagefile settings with most of your swap space on D: Don’t leave the system with no pagefile on C: as it sulks and slows things. Make sure pagefiles are fixed size. (On XP Pro there is a file PageFileConfig.vbs that allows you to things without the GUI garbage.)

Oct 20, 2014 8:02pm

Rick Murray (539) 13840 posts

Thanks for the suggestions.

Already deleted all of the uninstall stuff for the various patches (I would delete them after a week if the system was stable).
There is no swapfile. That would trash an SSD in no time. It’s Flash-based, not a harddisc.

Oct 21, 2014 1:52pm

Dave Higton (1515) 3526 posts

I have suggested before that I think it would be handy if the ROOL site permitted login by putting the credentials on the end of the URL. That would allow logging in directly from a “favourite”, which all browsers permit. No cookies would be involved.

How secure it would be is primarily up to the users: only save such a favourite on a computer that is believed to be secure, e.g. at home because of physical security.

Oct 22, 2014 6:58am

Malcolm Hussain-Gambles (1596) 811 posts

My suggestion would be to prevent the login form from allowing autocomplete. (randomise the password id field?)
That way everyone will get the same result.
Credentials in a GET request is fine if you don’t mind your username and password being shown in server logs.
Double ROT13 encryption is fine for me on RISC OS at the moment, but it would be nice to have a passwordsafe compatible app on RISC OS so I can share my password files.
(Yes I am aware what double ROT13 encryption is, I’m that good I can even type in it!)

Oct 22, 2014 1:12pm

Ron Briscoe (400) 78 posts

If you want an encrypted password program, try CrypStor
by Frank-de-Bruijn.

Available at <http://aconet.org/crypstor/>

Regards

Oct 22, 2014 5:58pm

Chris Dewhurst (1709) 167 posts

FWIW I never ever let any site store my user name and password even on my own computers and even if there is the facility to do so. The extra time spent typing credentials in every time is worth it for my peace of mind.

Also if I go for too long relying on autofill I will have forgotten the credentials anyway so it’s a good memory sharpener.

Chris

Oct 22, 2014 6:11pm

Vince M Hudd (116) 534 posts

(Yes I am aware what double ROT13 encryption is, I’m that good I can even type in it!)

Pfft. Everyone and his dog knows about double-ROT13 by now, which is why I tend to advocate quadruple-ROT13 these days.

Oct 31, 2014 1:53am

Tennant Stuart (2505) 122 posts

I prefer tredecuple-ROT13, which works just fine.

Logging into ROOL

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Oct 19, 2014 1:43am Tennant Stuart (2505) 122 posts	How come ROOL makes me type in my loooooooooong email address and password every time I log in? That doesn’t happen with other forums.

Oct 19, 2014 9:06am Rick Murray (539) 13840 posts	That doesn’t happen with other forums. Other forums probably use cookies and a “keep me signed in” option (though sometimes this is automatic). While this is a convenience, it is also crappy “security”, especially if you access said forum from any public arena or have a computer that others could access. You will notice that ROOL doesn’t make personal information available on the account control panel (not that they have much info). Somebody, somewhere, is taking security here a bit more seriously than a lot of sites…

Oct 19, 2014 9:20am Steve Fryatt (216) 2105 posts	How come ROOL makes me type in my loooooooooong email address and password every time I log in? You mean you don’t use a browser that remembers details like this if you ask it to?

Oct 19, 2014 9:36am Rick Murray (539) 13840 posts	You mean you don’t use a browser that remembers details like this if you ask it to? Because he asked the question, I’m assuming he is using NetSurf that does not remember. All my other devices (Android, iOS, Firefox…) do remember. It is useful but dangerous. Useful that I can get in to my favourite sites easily, but dangerous that I only remember the passwords to maybe three or four of them… ;-)

Oct 19, 2014 10:03am Steve Pampling (1551) 8170 posts	but dangerous that I only remember the passwords to maybe three or four of them True, not so secure with various utilities around. Oh, you mean if you lose the profile content you lose the password because you can’t remember – in which case pull up a profile backup file, load it, run the utility and make a note somewhere (in cryptic form¹ if you like) and then work through changing them to something easy to remember and hard to crack (not that Uppercase, lowercase and number stuff) ¹ e.g. This Is the Road to Hell ==> T1tRtH (easy to remember harder to crack)

Oct 20, 2014 1:22am Tennant Stuart (2505) 122 posts	So, basically you guys are saying that Risc OS is crap? Or just Netsurf? While [cookies are] a convenience, it is also crappy “security”, especially if you access said forum from any public arena or have a computer that others could access. Yeah, but I’m not, and perfectly typing in a long email address every single time is a huge pain.

Oct 20, 2014 7:59am Steve Pampling (1551) 8170 posts	So, basically you guys are saying that Risc OS is crap? Or just Netsurf? Netsurf is missing some features. Although not remembering passwords could be seen as a security feature it does have. Why not just keep a text file of the long email address and copy-paste into the user field? Then type in your password…

Oct 20, 2014 11:58am Rick Murray (539) 13840 posts	Not having a feature does not automatically make something “crap”. Plus, the browser is not related to the operating system (we’re not Microsoft!).

Oct 20, 2014 12:50pm Tennant Stuart (2505) 122 posts	Indeed so, but you told me how your other devices (Android, iOS, Firefox) were so much better. :) Why not just keep a text file of the long email address and copy-paste into the user field? Good idea, Steve, I’ve done that! :)

Oct 20, 2014 1:36pm Chris Johnson (125) 825 posts	Why not use Ffiller by Kevin Wells. It works fine on the ROOL site. I use it, and very easy it is. http://kevsoft.co.uk/

Oct 20, 2014 5:44pm Steve Pampling (1551) 8170 posts	Good idea, Steve, I’ve done that! I think Chris’s suggestion of Form Filler may be better. As to the paste in bit – I work in IT, specifically networking, and extracting a text configuration file altering it and pasting into another device is not just common it’s pretty much the official method.

Oct 20, 2014 5:57pm Kevin (224) 322 posts	Why not use Ffiller by Kevin Wells. It works fine on the ROOL site. I use it, and very easy it is. http://kevsoft.co.uk/ Or Passman from the same site.

Oct 20, 2014 6:10pm Steve Pampling (1551) 8170 posts	Or Passman from the same site. I’d have said the same if the passwords were not stored in plain text format in a directory in Choices.

Oct 20, 2014 6:36pm Rick Murray (539) 13840 posts	Indeed so, but you told me how your other devices (Android, iOS, Firefox) were so much better. :) Better is relative. They are better in that they can remember passwords (and handle more scripting/etc) than NetSurf, however… Android: The “stock browser” is old because it is Android v2.3.something and Android’s deplorable update mechanism is incapable of dealing with OS patches/updates without the carrier getting their grubby little mitts all over it – which they are generally extremely unwilling to do because it doesn’t benefit them (they’ve already sold you the phone…). It is basically a coin toss as to whether or not articles on TheRegister.co.uk will crash the browser (actually, it’s the crappy advertising but that’s the site that takes out my phone’s browser the most often). Firefox is available for Android. It takes an eternity to do anything. I do not understand why, with a 1GHz dual core processor and something like half a GiB of RAM, this phone is sooooooo slow. iOS: The Safari browser is lovely for general day to day internet requirements. It isn’t perfect, but it is nice looking, renders well, is responsive… unfortunately because iOS has no real concept of a filesystem (at least, not from the user PoV) it is not possible to download files. For that I need to use the Dolphin browser and “cheat” by downloading the file into Dolphin and then use “Open with…” to transfer the file into the other app; which takes a really long time (minutes if your file is measured in hundreds of megabytes – is it byte copying or something?). I won’t be upgrading to iOS8, it doesn’t offer anything that impresses me enough to deal with the chaos of freeing up 5.3GB on a 16GiB device; plus losing the additional space iOS8 itself will claim for rubbish I really have no need for like the health kit stuff. Panoramic photos (that Android has done since forever) and a draggy-swipey keyboard (that Android has done since forever) are wishlist wants, but they alone don’t provide enough incentive. It would be nice if iOS understood garbage collection, or allowed you to access the underlying filesystem with iTunes, because deleting and reinstalling an app to claim ~300MB of space because the OS can’t keep track of scrap/lost files is pathetic in 2014. And why is my mail claiming a gigabyte? Don’t they understand expiry? I guess not, as even messages deleted manually fail to release space. The mish-mash of GiB and GB is not an error. iOS uses GB. Sane people use GiB. FireFox (Windows): The most capable (obviously) but it runs under Windows which has its own problems, plus it requires 2GiB in order to not crash every time I do anything with it. Of course, having BarTab look after 584 tabs (about 25 active, the rest inactive) might have bearing on this. I’m a real one for “open in a new tab” ‘cos I’ll take a look at it later. Later, however, is an undefined quantity and may be hours/days/weeks/months/years/lifetimes/eras/epochs in the future. :-) I have not added service packs to XP since the end of 2012. Why? XP is stored on the 4GiB SSD ‘C:’ drive. Which is full. Everything has added its necessary rubbish to `\Windows\System32` and patched so many big important things into `\Documents and Settings` that I actually had to do a filesystem hack with junction points (think: symlink) to be able to install that utter bloatware known as iTunes. The drive is full. Possibility of update – zero (put a bigger SSD in C:, the D: SSD vanishes – don’t ask me why, BIOS bug?). tl;dr version: Just because something does something useful, it doesn’t mean it gets everything else right. And just because something doesn’t do this useful thing doesn’t automatically mean it is bad.

Oct 20, 2014 6:46pm Rick Murray (539) 13840 posts	I’d have said the same if the passwords were not stored in plain text format in a directory in Choices. Seriously? Even a child might have thought to at least ROT13 or some version of Caeser’s Cypher on them to obscure the passwords from being directly readable. Even something like write the passwords to a bit of memory, invert the bits, then record the hex values of each byte¹. Weak, but it depends upon how readily the program offers up the passwords. Anything’s better than having it all in plain text. Oh, wait. I’ve just had a thought. Maybe he wants to enhance your security, so he is ROT13ing the passwords twice just to be sure? 8-D ¹ But the first byte should be an encoded length count, or lots of FF FF FF at the end would be a dead giveaway.

Oct 20, 2014 7:21pm Steve Pampling (1551) 8170 posts	Seriously? Even a child might have thought to at least ROT13 There was a swipe card access system at work 10+ years ago that swapped the top and bottom four bits of the ascii characters in the operator passwords. Anyway, when I’d accessed the system as Admin and upped the access level of a couple of other accounts I moved on to enabling extra features.

Oct 20, 2014 7:32pm Steve Pampling (1551) 8170 posts	Which is full. Everything has added its necessary rubbish to \Windows\System32 drop down to \windows check out the Uninistall items for all the patches you applied. Delete those and the matching .log files to clear some space. Modify the pagefile settings with most of your swap space on D: Don’t leave the system with no pagefile on C: as it sulks and slows things. Make sure pagefiles are fixed size. (On XP Pro there is a file PageFileConfig.vbs that allows you to things without the GUI garbage.)

Oct 20, 2014 8:02pm Rick Murray (539) 13840 posts	Thanks for the suggestions. Already deleted all of the uninstall stuff for the various patches (I would delete them after a week if the system was stable). There is no swapfile. That would trash an SSD in no time. It’s Flash-based, not a harddisc.

Oct 21, 2014 1:52pm Dave Higton (1515) 3526 posts	I have suggested before that I think it would be handy if the ROOL site permitted login by putting the credentials on the end of the URL. That would allow logging in directly from a “favourite”, which all browsers permit. No cookies would be involved. How secure it would be is primarily up to the users: only save such a favourite on a computer that is believed to be secure, e.g. at home because of physical security.

Oct 22, 2014 6:58am Malcolm Hussain-Gambles (1596) 811 posts	My suggestion would be to prevent the login form from allowing autocomplete. (randomise the password id field?) That way everyone will get the same result. Credentials in a GET request is fine if you don’t mind your username and password being shown in server logs. Double ROT13 encryption is fine for me on RISC OS at the moment, but it would be nice to have a passwordsafe compatible app on RISC OS so I can share my password files. (Yes I am aware what double ROT13 encryption is, I’m that good I can even type in it!)

Oct 22, 2014 1:12pm Ron Briscoe (400) 78 posts	If you want an encrypted password program, try CrypStor by Frank-de-Bruijn. Available at <http://aconet.org/crypstor/> Regards

Oct 22, 2014 5:58pm Chris Dewhurst (1709) 167 posts	FWIW I never ever let any site store my user name and password even on my own computers and even if there is the facility to do so. The extra time spent typing credentials in every time is worth it for my peace of mind. Also if I go for too long relying on autofill I will have forgotten the credentials anyway so it’s a good memory sharpener. Chris

Oct 22, 2014 6:11pm Vince M Hudd (116) 534 posts	(Yes I am aware what double ROT13 encryption is, I’m that good I can even type in it!) Pfft. Everyone and his dog knows about double-ROT13 by now, which is why I tend to advocate quadruple-ROT13 these days.

Oct 31, 2014 1:53am Tennant Stuart (2505) 122 posts	I prefer tredecuple-ROT13, which works just fine.