Simplemachines Forum is pretty good about not sending a password over the Internet in plain text. When you submit the login form, a script runs that does a pretty good job of hiding your password (salted SHA-1, if you're curious. If you're more curious,
http://animorphsforum.com/forum/Themes/default/script.js and
http://animorphsforum.com/forum/Themes/default/sha1.js are the actual code).
This doesn't work if, Javascript is turned off or--and this surprised me--
// Are they using an email address?
if (doForm.user.value.i ndexOf("@") != -1)
return;
you're using your e-mail address to login. In those cases, the form defaults to sending a password with no protection at all.
So, what's the impact? If someone wants to snoop your password
and has access to a computer near yours (most likely, you're using WiFi), you definitely don't want to send a plaintext password.
Such an adversary would also be able to copy the challenge/response pair of a login, and use that information to check guessed passwords without contacting RAF's servers.
And, such an adversary would be perfectly capable of side-jacking: copying your session cookie, bypassing login altogether, and thus be able to do whatever you can do while logged in.
Practically, there is very little impact. SMF is vulnerable to sidejacking. If you use public access points, someone in the area can surf alongside you, at least until you log out. If you log in using your e-mail address, they can log themselves back in whenever.
Assuming, of course that such a person exists.
But, it might be smart to get in the habit of using your username anyway. And don't login to RAF from Black Hat.
