Earnings Disclaimer: All the posts published herein are merely based on individual views, and they do not expressly or by implications represent those of NewProxyLists or its owner. It is hereby made clear that NewProxyLists does not endorse, support, adopt or vouch any views, programs and/or business opportunities posted herein. NewProxyLists also does not give and/or offer any investment advice to any members and/or it’s readers. All members and readers are advised to independently consult their own consultants, lawyers and/or families before making any investment and/or business decisions. This forum is merely a place for general discussions. It is hereby agreed by all members and/or readers that NewProxyLists is in no way responsible and/or liable for any damages and/or losses suffered by anyone of you.
I am about to sign up for an online school, which is an accredited
statewide online school, and notice that the password they want me to
enter is fully visible on the form. Should I be concern about their
Not necessarily. Masking the password simply protects it from the prying eyes of someone looking over your shoulder.
The more interesting question is: is the form submitted securely using https ?
The password policy is very outdated and not very smart: “At least 8 characters long and must only contains letters and numbers”. Seriously ? In 2020 ? They effectively enforce poor/less than ideal passwords.
So many sites will insist on at least one special character nowadays (that still doesn’t mean the password policy is sound though).
What this tells me: the designer is not very confident in the ability of the code to handle special characters. Red flag. Old code (legacy) perhaps. Or it is an arbitrary decision, not a technical constraint. Assumption: the developer has no clue. Red flag.
When you think of it, requesting password confirmation becomes pointless in this scenario, since you can see exactly what you typed. The same could be said about the E-mail too. What is the point of frustrating users with double input.
Does a form like this indicates that the way the way the school
protects students’ data is not secure, such as storing password
verbatim rather than something like one-way hash?
Not necessarily but you can’t be sure. You can try the password reminder feature (if there is one) and see if it sends you the original password back. Then it’s bad and you have proof that the password is stored in plain text. However, if you get a link to reset, that does not prove that the password is indeed stored in hashed form. Only a look at the code or the database could confirm this, but we can make educated guesses.
If such forms violate established data security practices, what
document(s) should I refer to the school’s IT people regarding that?
First of all, try to evaluate the scope of the problem. Is https used ? Can you prove that passwords are stored in plain text ? If any of the boxes tick, you can add the poor password policy on top of it. While you are it, you can look at the URL, also after submitting the form and see if it carries bits of data that shouldn’t be there.
I have a server and I want my iPhone to connect to it securely. However, I cannot just install the self-signed server certificate on my iPhone. When I install the profile (that’s what they call the certificate), it says “Not verified”.
Normally, you would go to CA Trust settings and enable full trust for the certificate. BUT I deliberately made the certificate with
critical,CA:false constraint. That’s the reason it does not show in the CA Trust settings.
Why did I do it — I just need to install the single certificate and I don’t want to totally compromise my iPhone security, if my CA credentials got stolen.
Do this have a solution? iOS probably requires a CA to trust a certificate, but I don’t want a possibility to create certificates at all (beside the one), or at least for another domains.
One potential “solution” might be to create the CA, sign the server certificate and then delete the CA key, as it would not be needed and would live for a shorter time (lower chance to get stolen).
However, people except me wouldn’t be stoked to install it. (I don’t want to buy a certificate as its a home project and I don’t even have a domain name, just the IP address.)
The certificate complies with apple’s current requirements for server certificates. (https://support.apple.com/en-us/HT210176)
I do agree with the security concerns being posted here, but there still may be a market for such an app. I think a good use case for an app like this is for a shared task list – there are a lot of ways to build a shared to-do list, but all of them require at least a registration if not a download of some type, and it’s a pain.
So, I’d say if you’re going to keep it registration-free, then it would be pretty critical to provide some kind of warning to the user that their list is essentially public; maybe some kind of “I agree” consent form. You could even brand it as public, and offer registration as an additional, “private” tier of lists.
As long as users are aware of the risk that having a public to-do list entails, I’m sure there are plenty of people that would be okay with sharing their list with the world. Now getting users to read and understand your warning and NOT put sensitive information out there…that’s certainly a challenge.
I’m finding a way to let passangers sign up or login, only using google or facbook account, without showing up the default “signup by email”. Is there any way to do this?
My reason is, I want to build an LMS site, and I think that the above method would narrow the possiblity that registrant would share their accounts.
1] Install apk and verify your account.
2] I have to confirm you.
3] Write here or PM your registered name in apk.
4] I send you 50 BMF points – Billing once a day.
5] Only for first 7 users.
Description this airdrop:
Cryptocurrency Airdrop for Mobile. Coin is Q.
Paypal’s future currency.
Earn money for free before initiative Q becomes famous.
Each currency is estimated to worth 1 dollar in the future.
By inviting each person you can earn 1600 dollars for free.
The entire concept of having that rally at this time in that place was idiotic. The American people have had enough of this clown show.
The Fox News poll released last week shows Biden’s lead over Trump widening to a 12-point lead, up from an 8-point lead last month.
Don’t forget that you earn 500 ecoin for every valid refferral( a refferral is said to be valid if he or she verify his or her phone number through telegram) you can join here
Ecoin aims to be the first cryptocurrency to onboard billion users with the worlds simplest onboarding strategy, Are you ready ?
Like so many things in UX, the answer is “it depends”.
Does your site have tons of visitors but relatively few authenticated users who probably stay signed in forever? Highlight the Register button and see if it entices more people to sign up.
Or is your site one with dedicated users that can’t stay signed in for technical reasons (security, device switching, etc.)? Put the Sign In button front and center so those people can get back to doing what they need.
When an average person lands on your home page, what is the single most important thing they will want to do? Build the UI to support that flow.
The risk here is also super low. If a user wants to sign in or register and you have a button for that which is clearly labeled and not hidden, they will probably click it no matter what visual styling it has. Try some things out. Pick some metrics, do an A/B test and see what happens!
I am building a professional network and I am considering whether I should pre-fill sign-up form with the data that we obtain from the email enrichment API.
The current sign-up flow is:
- User gives their email.
- We send an email, which is used to authenticate user.
- Once they are authenticated, they are brought to the onboarding flow.
- The onboarding flow asks them questions such as: “What is your name?” “What is your Twitter?”, etc.
This question is regarding the last step.
In theory, we don’t need to ask the user to enter most of this data because we can pull it from email enrichment APIs. Just by having user’s email (90% of the time) we can already pull their full name, their social profiles, and most of the other typical information about user’s public presence. Therefore, should we just pre-fill this information for the user?
If we were to follow this pattern, the first thing that the user would see after clicking on the link we’ve sent to their email would be this form with their first name and last name pre-filled and advising about the source of the information.
Has anyone done it before?
How was this perceived?
What are the possible downsides?