Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Anger Management

by afoken (Chancellor)
on Jan 22, 2017 at 10:47 UTC ( #1180110=monkdiscuss: print w/replies, xml ) Need Help??

So, this meditation is about anger management. Or maybe failed anger management. You will notice an abrupt end, at a point where I just wanted to yell at everyone.

I stumbled over an old thread, Is there a Perl authentication and authorisation framework for CGI web application?, where Your Mother gave this really good answer:

Password recovery means passwords are stored in a readable fashion and this is a worst practice, so itís just as well it doesnít do it.

And that reminds me of an even older thread, What happened?. Linked from there, there is Status of Recent User Information Leak, with the following promise:

Strengthening Authentication

The administrators are planning to implement hashed passwords (allowing more than 8 chars).

What happened since then?

This is what I found in Tidings through 2014-11-10 atfer visiting Tidings:

10-character passwords now allowed

Jun 10, 2012 at 06:30 CEST

PerlMonks forms used to specify a maximum password length of 8 characters while it was possible to give yourself a 10-character password by bypassing these forms. Now the forms specify a maximum password length of 10 characters.

I must have missed something. It must be so. I don't want to believe that it took three f***ing years to increase the password length by just two characters and call that "case closed". I don't want to believe that after 7.5 years, perlmonks still stores passwords unhashed, unsalted in plain text.

But still, there is a link to What's my password? on the login form, it still requires just a username or a mail address, and it sends me my password in plain text in an unencrypted mail, together with my username!

Hey there.

You or someone else has requested a password for your username or e-mail address.

Before you freak out, take a few deep breaths and remember that it's YOU and not THEM who is getting this password.

Here's your info:

username: afoken

passwd: *****

human name: Alexander Foken

love, the management


Yes, I took a deep breath. Several. I slowly counted to 100. Several times.



7.5 years and nothing relevant has changed. Perlmonks passwords are obviously still stored in plain text, or in a form that can be decrypted on the server, which is as bad as plain text.

That's a login system that would make the worst amateurs blush.

People have been told for years to avoid MD5 hashes because they are insecure. People have been told for years to salt hashes with long, random salts, and to use really expensive hash functions, like bcrypt or PBKDF2.

Yet, perlmonks still uses plain text passwords, 7.5 years after many, if not all, passwords have been copied by some script kiddies? And to add insult to injury, perlmonks happily sends out login name and password in plain text. No traces of a time-limited one-time link for setting a new password. No trace of even the simplest way, sending out one mail with the username, and a second one with the password.


Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re: Anger Management
by LanX (Saint) on Jan 22, 2017 at 11:38 UTC

    The system is complicated and PM (which is run by volunteers) doesn't have the resources to simply change this aspect.


    For comparison: My online banking is limited to a 5 letter login without special characters!

    A friend and security expert explained to me that's because most banks are still running legacy systems on mainframes.

    And I suppose they have more resources than us.

    Cheers Rolf
    (addicted to the Perl Programming Language and ☆☆☆☆ :)
    Je suis Charlie!

      Sure its beliveable, its just not true

      youve witnessed the number of new bugs code changes bring, improving the login parts would break everything only to protect no money

Re: Anger Management
by soonix (Canon) on Apr 30, 2017 at 16:12 UTC
    At least it's not that bad
    (link goes to "programmer humour", but some of the comments seem to indicate a tad of reality)

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://1180110]
Approved by Arunbear
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (3)
As of 2023-12-10 10:46 GMT
Find Nodes?
    Voting Booth?
    What's your preferred 'use VERSION' for new CPAN modules in 2023?

    Results (39 votes). Check out past polls.