If/when HTTPS gets fixed it may be an idea to tell members about it. In amongst all the emails telling me that my account with password 123456 or asdasd had been accessed was one with a genuine(but old) C&F password in the subject line. I guess this was picked up from an HTTP connection on a compromised free WiFi somewhere. No big deal but it is a temptation to open the email.

Those emails quoting actual passwords are normally not derived from websites visited or used; they are derived from hacked lists, often arising from security breaches at internet providers. You can check whether a particular email has been hacked in this fashion, and even when it was likely to have been, by visiting:

https://haveibeenpwned.com/

_________________
"Only connect!"

https://youtu.be/ezbWVysJAOY
https://tapm.bandcamp.com/

The only list containing my C&F password will be the one maintained by this board. If that had been hacked I think you would have had more comments. I suspect a hacked WiFi router at a pub or cafe somewhere, or their third-party WiFi provider - the logo for which got attached to a link to this board in Safari. With http passwords are not encrypted.

I'm no IT expert, but the point is that it isn't websites that your password would have been gleaned from. When you enter a password on a computer (including a smartphone), at that moment, it can be harvested. That has nothing to do with the website concerned. It's the ISP that's been hacked. If you follow that link I gave you and you type your email address in, you'll see the likely breach that caused your password to be on a separate, hacked list. I suppose it could be a WiFi router, but, from the breaches that I've seen, it's much more likely to be an ISP. There have been many, and very well publicised.

_________________
"Only connect!"

https://youtu.be/ezbWVysJAOY
https://tapm.bandcamp.com/

There's no need to hack the ISP to get the C&F login password. Anyone on the same network can do it very easily. Any traffic that isn't encrypted, e.g. sites using http:// (and not https:// sends everything in the open, and every single computer on that network can watch the traffic in clear, with only the simplest of tools. And in hotels it's extremely likely that someone is doing just that, and in cafeterias and the like it's also not uncommon (but hotels have hundreds of guests so that's a very attractive target for harvesting).
The only way to fix that is to go to https:// where neither the login credentials nor the cookie used afterwards can be seen (using https:// just for the login part removes the most obvious problem - the one anyone can use straight away, with no knowledge: Getting the account name/password. But using http:// for the rest still leaves the cookie in the open, although using that one for nefarious purposes needs more than %0 knowledge).

Ben - as I understand it the situation is along the lines described by Tor. If you have a WiFi connection which does not require a password then the traffic can be intercepted. If it does have a password then the router needs to be hacked but many can be. Then the harvested passwords are put on a list and sold.

That's why people use https - so that it is encrypted all the way between the browser and the server hosting the web page. Routers and ISPs don't see the password.

For C&F admin one advantage of https would be that less passwords would go onto lists so fewer people would tell you that the site may have ben hacked. (And if a lot of people did then maybe the problem really was at your end)

It's not necessary to hack the router if you have access to the network via the password, as is the case for WPA- or WPA2-encrypted public (e.g. cafeterias) networks (or just via a login page as is often the case for hotels). You'll then be able to see all network traffic. The network encryption is only to protect from listening / connecting by others, it's not protecting those on the network from each other. For that you need HTTPS, VPN, or other per-device encryption.

Ah, OK, right you are. Anyhow, as one security advice site puts is succinctly "Public Wi-Fi is inherently insecure"

By contrast, I've never actually heard of an ISP being hacked and that being the source of passwords being lost. The main method I am familiar with is dumping passwords from a website's own database. This isn't hard to do for some websites.

Part of the problem is that this can go un-noticed for a while and then the passwords show up in some other public dump. A large portion of https://haveibeenpwned.com 's passwords are from such harvests and just added to a list. Passwords and personal information doesn't sell for a lot individually, so you usually see it in massive heaps. This is also how you end up with out-dated passwords in lists that show up in some the phishing emails where someone claims to know your password. (You can read about each of the largest breaches on the website. You'll see in the description that LinkedIn, or MySpace, had had passwords and data exposed that may have gone unknown for a while. Again, the point is that it was the website itself that had the problem.)

(I'm a little bit of a Cybersecurity enthusiast. I hope to become a Security auditor at some point; so I read up on how to hack websites and try to practice hacking on my own when I get the chance.)