Password Reset From doesn't use HTTPS


#1

I recently had to reset my forgotten password and noticed that the link that was emailed to me was an HTTP link. After manually changing this to HTTPS, the page redirects to the password reset form which is again on an HTTP page. This is a very important form that should be protected by HTTPS. It also makes me wonder how securely passwords are stored on the back end of Newsblur.


#2

as far as I can see, NB uses the Django standard auth module. Which by default uses the PBKDF2 algorithm with a SHA256 hash, and the other options you can set are good too: https://docs.djangoproject.com/en/2.1/topics/auth/passwords/

I haven’t gone in enough yet to speak to https issues; definitely sounds like a bug that needs looking into.


#3

For clarity are you talking about the newsblur service site or this forum?

I find this concerning too. For some strange reason I have to keep resetting my password to log into this forum site, even though I use a password manager to store my password. I saw the notice about no https too.


#4

I’m talking about the main Newsblur service, not this forum.

My worry is that if something like this was missed, then there could potentially be other more serious security issues with the service as well.