|Don't ask to ask, just ask|
Anger Managementby afoken (Chancellor)
|on Jan 22, 2017 at 10:47 UTC||Need Help??|
So, this meditation is about anger management. Or maybe failed anger management. You will notice an abrupt end, at a point where I just wanted to yell at everyone.
I stumbled over an old thread, Is there a Perl authentication and authorisation framework for CGI web application?, where Your Mother gave this really good answer:
Password recovery means passwords are stored in a readable fashion and this is a worst practice, so itís just as well it doesnít do it.
What happened since then?
I must have missed something. It must be so. I don't want to believe that it took three f***ing years to increase the password length by just two characters and call that "case closed". I don't want to believe that after 7.5 years, perlmonks still stores passwords unhashed, unsalted in plain text.
But still, there is a link to What's my password? on the login form, it still requires just a username or a mail address, and it sends me my password in plain text in an unencrypted mail, together with my username!
WHAT THE F**K?!
Yes, I took a deep breath. Several. I slowly counted to 100. Several times.
ARE YOU KIDDING ME?!
7.5 years and nothing relevant has changed. Perlmonks passwords are obviously still stored in plain text, or in a form that can be decrypted on the server, which is as bad as plain text.
That's a login system that would make the worst amateurs blush.
People have been told for years to avoid MD5 hashes because they are insecure. People have been told for years to salt hashes with long, random salts, and to use really expensive hash functions, like bcrypt or PBKDF2.
Yet, perlmonks still uses plain text passwords, 7.5 years after many, if not all, passwords have been copied by some script kiddies? And to add insult to injury, perlmonks happily sends out login name and password in plain text. No traces of a time-limited one-time link for setting a new password. No trace of even the simplest way, sending out one mail with the username, and a second one with the password.
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)