SUFC Online Ticket system security

All advertisments are hidden for logged in members, why not log in/register?

WhiteHawk said:
Having different passwords for every site you use just isn't possible, you just wouldn't be able to remember them all. Including the ones I need for work, there must be 40-50 different sites, maybe more, that I need a password for. I've probably got about 10 different passwords that I use
Click to expand...

Use a password manager.
 

Highbury_Blade said:
Use a password manager.
Click to expand...
I assume that is pretty much a list of passwords, which would require another password to access?

I couldn't even begin to think of a different password for every site I use, I struggle as it is to think of one to use when I need to create one for a new site!
 
WhiteHawk said:
I assume that is pretty much a list of passwords, which would require another password to access?

I couldn't even begin to think of a different password for every site I use, I struggle as it is to think of one to use when I need to create one for a new site!
Click to expand...
Highbury means something like lastpass, which stores and automatically fills username and password boxes, so you never need to remember each one. It can even generate unique and obscure passwords for sites because you never actually need to know them. These are stored securely and encrypted. I don't use them much myself, I use my own encryption method loosely based on my description above for 'standard' web sites. Others, such as PayPal etc. Have much better ones based on no pattern, but anything is better then re-using the same password across many sites. Any site storing passwords unencrypted and passed in http rather than securely in https is asking for trouble and would concern me about other basic security measures that should be implemented.
 
sheepbridge said:
Highbury means something like lastpass, which stores and automatically fills username and password boxes, so you never need to remember each one. It can even generate unique and obscure passwords for sites because you never actually need to know them. These are stored securely and encrypted. I don't use them much myself, I use my own encryption method loosely based on my description above for 'standard' web sites. Others, such as PayPal etc. Have much better ones based on no pattern, but anything is better then re-using the same password across many sites. Any site storing passwords unencrypted and passed in http rather than securely in https is asking for trouble and would concern me about other basic security measures that should be implemented.
Click to expand...
You're right, I should use different passwords. How would this password manager thing work though if I was accessing sites from different laptops/mobiles/PC's?

If as you say, I never actually need to know the password, how would I be able able to access the same site from my laptop, work PC, mobile & tablet?
 
WhiteHawk said:
You're right, I should use different passwords. How would this password manager thing work though if I was accessing sites from different laptops/mobiles/PC's?

If as you say, I never actually need to know the password, how would I be able able to access the same site from my laptop, work PC, mobile & tablet?
Click to expand...

Lastpass will have you covered from all.
 
I use 1password in windows, Mac, iPhone and iPad. All synced through Dropbox. There is an android client too. All paid for though...

The risk with using a password manager is that if your master password is compromised then you're fucked. Which is why you chose a fucking strong master password.
 
See last pass.com for details on how it works, but basically you create an account and then install a plugin for your browser on each device that manages passwords for web pages. Other such services are available of course!

Using the same user name and password for most sites is easy and predictable, and hard to get away from doing, but worth doing.
It only takes one compromise from one badly maintained or even rogue web site for you to potentially have major problems, and it is amazing how much detail and damage can be done. Online shopping, email, banking, PayPal, ebay, Amazon, etc. What would your login details to those services be worth to fraudsters?
 
Erad said:
Storing unencrypted passwords is such a big no no. The idea that a business of this size still does this is shocking. There is a site for naming and shaming these people -http://plaintextoffenders.com. Maybe you should add it to this site and inform the club that you have done so, you'd hope it would help them understand the seriousness of the issue.
Click to expand...


I actually considered plain text offenders but I thought it would be better to bring it up here first.
 
I've decided to take this problem up with the box office directly. If they don't give me a particularly good response, then i'll start making it known in the online security world that the ticket office are storing your details unencrypted and hopefully we can shame the club into fixing it.
 
Highbury_Blade said:
I've decided to take this problem up with the box office directly. If they don't give me a particularly good response, then i'll start making it known in the online security world that the ticket office are storing your details unencrypted and hopefully we can shame the club into fixing it.
Click to expand...

I've made initial contact personally too - but things have been slow due to being busy and not chasing up/speaking to people when planned. I have further reason to bring up a few additional, but related issues too, let me know how you get on.
 
Foxy said:
I've made initial contact personally too - but things have been slow due to being busy and not chasing up/speaking to people when planned. I have further reason to bring up a few additional, but related issues too, let me know how you get on.
Click to expand...


Been doing a bit of digging and it's not just us that has this problem. Everton use the same company as we do to power the ticketing solutions and guess what? They're plain text offending too!

Screen Shot 2015-01-22 at 17.52.24.png
 

Leeds as well, plus Bradford City.

Liverpool also use the same company (Advanced Ticketing), but it seems they've got a password reset feature.
 
Our forum geek, Highbury, he's on a mission
Scouring t'internet in a war of attrition
Seeing how others treat their supporters
Confidential details, then back to report us
Compare how we fare against the pack
Looking for scapegoats, some bugger to sack
He'll not be dissuaded, he'll not be put off
Til someone assuages his pet hate and wrath
 
Highbury_Blade said:
Been doing a bit of digging and it's not just us that has this problem. Everton use the same company as we do to power the ticketing solutions and guess what? They're plain text offending too
Click to expand...

We could spend months without much effort finding huge lists of offenders, but yep, it's an issue with the provider, rather than the Blades implementation alone... I'd give them the benefit of doubt that they trust the service provider and don't necessarily have the in house resources to evaluate fully.
 
Foxy said:
We could spend months without much effort finding huge lists of offenders, but yep, it's an issue with the provider, rather than the Blades implementation alone... I'd give them the benefit of doubt that they trust the service provider and don't necessarily have the in house resources to evaluate fully.
Click to expand...

Is there such thing as a data/information controller at BDTBL who is responsible for all the personal data they hold?
 
Foxy said:
We could spend months without much effort finding huge lists of offenders, but yep, it's an issue with the provider, rather than the Blades implementation alone... I'd give them the benefit of doubt that they trust the service provider and don't necessarily have the in house resources to evaluate fully.
Click to expand...

Regardless it's a security risk, and given that it's hooked up to the box office, it's not one that you can opt out of.
 
Highbury_Blade said:
Regardless it's a security risk, and given that it's hooked up to the box office, it's not one that you can opt out of.
Click to expand...

Absolutely. Was merely suggesting the likely reasoning.
 
I know its not very exciting compared to the beard signing but for those using Lastpass could I check a couple of points.
If you are not using the random password feature is it any different than having loads of different passwords yourself, I suppose I am asking is that the killer benefit!!
Also I noticed you have to pay for the app on iphone which I don't mind but does it link in correctly so you are not "locked" out of a site on either laptop or phone
Cheers
 
bladesadviser said:
I know its not very exciting compared to the beard signing but for those using Lastpass could I check a couple of points.
If you are not using the random password feature is it any different than having loads of different passwords yourself, I suppose I am asking is that the killer benefit!!
Also I noticed you have to pay for the app on iphone which I don't mind but does it link in correctly so you are not "locked" out of a site on either laptop or phone
Cheers
Click to expand...


The killer benefit is you no longer have to remember all your passwords.

I have no idea how it works on mobile. i use 1password. Lastpass is an annual subscription btw.
 
Highbury_Blade said:
The killer benefit is you no longer have to remember all your passwords.

I have no idea how it works on mobile. i use 1password. Lastpass is an annual subscription btw.
Click to expand...
Cheers Highbury
I was looking more at the security part, most of the sites like this I stay signed in and the ones I don't want to I sign out and can remember the passwords.
 
bladesadviser said:
Cheers Highbury
I was looking more at the security part, most of the sites like this I stay signed in and the ones I don't want to I sign out and can remember the passwords.
Click to expand...

In my 1password file i have 200 passwords. There's no fucking way i could remember all of them if they were different.
 
Decided to get in touch with Jim about it via his facebook page
 

You must log in or register to reply here.

Similar threads

T
2025 Season Ticket Dowload
Replies
28
Views
2K
Blademan89
Blademan89
CornwallBlade
Thanks SUFC!
Replies
0
Views
575
CornwallBlade
CornwallBlade
C
Statistics Intermediate Team late 70s Early 80s
Replies
2
Views
385
chimpchoker
C
toledo
The Star Online
Replies
4
Views
855
SwissBlade
SwissBlade
5tannington Blade
Anyone can't go Friday night and want some loyalty points?
Replies
5
Views
874
5tannington Blade
5tannington Blade

All advertisments are hidden for logged in members, why not log in/register?

All advertisments are hidden for logged in members, why not log in/register?

Back
Top Bottom