Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
I realize many have already given their two cents here. As my two cents are of a slightly different shade, I will add them to the pile.

  1. I used a random password on PerlMonks.
  2. I did not use this password anywhere else.
  3. The password had upper/lower case and digits.
  4. The password was as strong as any password could have been on PerlMonks.
And since I didn't use the password anywhere else, you might think I had nothing to lose, right? Wrong. Some people here have focused on the password as the only critical piece. But along with the password, the crackers also got our email addresses and potentially our real names (in my case I have not supplied a real name).

What advice do the "professionals" have regarding email addresses? Should we apply for a different email account for every webservice we use as well? Spam is a big problem these days, as is identity theft. If we were to use a fake email address, we would be unable to sign up on Perl Monks. So, I did have something to lose after all.

It is also my understanding that it was not the user passwords that were cracked, but the server root itself. Is there any way our data could have been protected from a root-level attack? I doubt it.

I begin to wonder if the real security problem here had little to do with passwords, and everything to do with general server security procedures. On my linux server, I use a firewall, I ban for twenty minutes any user who fails thrice to correctly enter a password, and use private/public keys with SSH on a non-standard port which will not allow anyone to login as root. Logging in as root requires a separate step. The database is password protected with a separate password, and I do not keep dumps of the DB's user table. And I do not think my server is especially secure. There are many more steps one might take. But it sounds like from the way PM was cracked, it was almost a giveaway.

If you want to discuss having more secure passwords here, then can we talk about having more than 8 characters in our passwords? But a chain is only as strong as its weakest link, and it seems that even the weakest of passwords belonging to users here may not have been the weak link in this case.

Blessings,

~Polyglot~


In reply to Re: Status of Recent User Information Leak by Polyglot
in thread Status of Recent User Information Leak by Co-Rion

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (3)
As of 2024-03-29 05:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found