[Xk]

You have a very severe security vulnerability on your site. Please provide an email address in your info I can contact you at. (The email field is hidden to others.)

Edit: interwho has fixed the vulnerability. There was a CSRF allowing you to take over someone else's account if they visited your site.

[vnorby]

The site is asking for an email which also happens to be a PayPal account (Placeholder text is "Email (and PayPal) address..."), along with a password. The user is not a known quantity and it's his/her first submission to HN, it's very possible he/she is hoping that PayPal email addresses/passwords that you put in match. There is no HTTPS, no seals or verification, no guarantees of the security of any of your data and that your password is not being stored in plaintext. There is a security vulnerability and the site was a purchased template. It's quite possibly legit, but without more information I would avoid.

[interwho]

I'm bcrypting the passwords.

Exact method: sha1(bcrypt(sha1(md5.'othersalt').'salt').'anothersalt') and a few more salts + sha1s

[LeafStorm]

Which means nothing if it is possible to snipe the passwords from the HTTP request. Firesheep, anyone?

[interwho]

You're right, I'll get a security cert + force ssl.

[david_shaw]

>You're right, I'll get a security cert + force ssl.

As someone who has worked in security for years--in particular, application security assessments--thank you for taking the sometimes hard-to-swallow criticism well, and deciding to actually fix things rather than just deflect the issue. You probably have no idea how many (even reputable) organizations decide to "accept the risk" and ignore security findings. (Edit: More so than the SSL issue, I'm talking about fixing the CSRF)

>The user is not a known quantity and it's his/her first submission to HN, it's very possible he/she is hoping that PayPal email addresses/passwords that you put in match.

There is nothing wrong with the logic in this statement, but you also need to be careful how far you take it. One could argue that any of the small "Show HN" posts around here are hoping to harvest credentials. In fact, I'm sure that some of them do. When using software as a service--or indeed, any web application--there is an inherent degree of trust behind it. Even if the user had made many HN posts, or not bought the pre-made site (which looks nice, IMO), or purchased an HTTPS certificate... credential harvesting is still a real threat.

Even bigger services that claim to encrypt password databases have often been shown to in fact do nothing of the sort (eg, sending password reminder emails etc).

This is why security guys worth their salt will always suggest using random passwords for every service you sign up for and keeping them in an encrypted file a la KeePass or a TrueCrypt container with a long, complicated "master password" for the archive. Additionally, it's always a great idea to enable 2-factor authentication where ever possible (for example, Google accounts).

[interwho]

If I didn't take any criticism, how would I improve? :)

As to the fact that this is my first post here, I've been a lurker for a long time, and finally had something good to post. I've been on reddit and a few developer forums under this username (and interwhos) for much longer.

Thank you for writing this.

[interwho]

Done. You can also contact me via the contact link at the bottom of the page.

Thanks for letting me know.

[Xk]

Thanks. Will do.

edit: support email sent

[interwho]

Got it. Thanks a ton!

[interwho]

Fixed. Thanks!