Now Viewing: Password
Keep it civil, do not flame or bait other users. If you notice anything illegal or inappropriate being discussed, contact an administrator or moderator.
Quote
Closed
Pin
Password
Posted on: 02/09/12 11:29AM
Where can I change my password ???
Posted on: 02/09/12 11:34AM
If I cant change it, how can I delete my Account?
Because, someone has hack my Acc. somethimes :(
Because, someone has hack my Acc. somethimes :(
Posted on: 02/09/12 12:54PM
You can neither change your password, nor delete your account.
Posted on: 02/09/12 04:09PM
Would you mind giving the details of why you think someone has hacked your account? I.e., what has it done that you think you didn't do?
Even if the account can't be deleted, it can be locked (banned), and if someone has hacked it, they may in short order abuse it and get it locked anyway.
It would be preferable to lock user accounts on request rather than effectively forcing them to do something abusive in order to get it locked.
Even if the account can't be deleted, it can be locked (banned), and if someone has hacked it, they may in short order abuse it and get it locked anyway.
It would be preferable to lock user accounts on request rather than effectively forcing them to do something abusive in order to get it locked.
Posted on: 02/09/12 04:41PM
You can change your password by logging out and clicking reset password. This will only work if you attached an email to your account.
Posted on: 02/09/12 09:50PM
I didn't attach an email. hope no one guesses my password... gulp.
Posted on: 02/10/12 12:36AM
Because it is so worth a hacker's time to obtain a Gelbooru account...
Posted on: 02/10/12 10:00PM
A troll might consider it worth doing, if they could do it easily. People might not appreciate being perma-banned and having to come back with a different identity. Mod accounts are worth more internet points, and there are at least 14 of those to choose from, including mods in training. Do any of them use Gelbooru from their mobile phone?
Gelbooru uses two cookies for authentication - user_id and pass_hash. The password hash is the same every time you log in, and the cookies are sent as plaintext to the server on every HTTP request you make while logged in, so all an attacker needs to do is sniff one request and they can impersonate you to the server until you change your password, which many people can't do because they didn't enter an email.
The server could instead assign a random session password and save that until the user logged out or logged in again; then stolen cookies would at least only work for the duration of the session.
Better yet, the server could use https, which people have found to be cost-effective on modern computer hardware (e.g. www.imperialviolet.org/2010/06/25/overclocking-ssl.html ) and which would also prevent your ISP from snooping on your Gelbooru surfing. Mod and admin sessions at least should be forced to https, with the secure attribute set on the cookie so it won't be sent via unsecured http.
[edit] Bonus link: blogs.wsj.com/digits/2010...0-gawker-media-passwords/
Gelbooru uses two cookies for authentication - user_id and pass_hash. The password hash is the same every time you log in, and the cookies are sent as plaintext to the server on every HTTP request you make while logged in, so all an attacker needs to do is sniff one request and they can impersonate you to the server until you change your password, which many people can't do because they didn't enter an email.
The server could instead assign a random session password and save that until the user logged out or logged in again; then stolen cookies would at least only work for the duration of the session.
Better yet, the server could use https, which people have found to be cost-effective on modern computer hardware (e.g. www.imperialviolet.org/2010/06/25/overclocking-ssl.html ) and which would also prevent your ISP from snooping on your Gelbooru surfing. Mod and admin sessions at least should be forced to https, with the secure attribute set on the cookie so it won't be sent via unsecured http.
[edit] Bonus link: blogs.wsj.com/digits/2010...0-gawker-media-passwords/
Add Reply