Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re: Status of Recent User Information Leak

by Polyglot (Chaplain)
on Aug 03, 2009 at 05:49 UTC ( [id://785345]=note: print w/replies, xml ) Need Help??


in reply to Status of Recent User Information Leak

I realize many have already given their two cents here. As my two cents are of a slightly different shade, I will add them to the pile.

  1. I used a random password on PerlMonks.
  2. I did not use this password anywhere else.
  3. The password had upper/lower case and digits.
  4. The password was as strong as any password could have been on PerlMonks.
And since I didn't use the password anywhere else, you might think I had nothing to lose, right? Wrong. Some people here have focused on the password as the only critical piece. But along with the password, the crackers also got our email addresses and potentially our real names (in my case I have not supplied a real name).

What advice do the "professionals" have regarding email addresses? Should we apply for a different email account for every webservice we use as well? Spam is a big problem these days, as is identity theft. If we were to use a fake email address, we would be unable to sign up on Perl Monks. So, I did have something to lose after all.

It is also my understanding that it was not the user passwords that were cracked, but the server root itself. Is there any way our data could have been protected from a root-level attack? I doubt it.

I begin to wonder if the real security problem here had little to do with passwords, and everything to do with general server security procedures. On my linux server, I use a firewall, I ban for twenty minutes any user who fails thrice to correctly enter a password, and use private/public keys with SSH on a non-standard port which will not allow anyone to login as root. Logging in as root requires a separate step. The database is password protected with a separate password, and I do not keep dumps of the DB's user table. And I do not think my server is especially secure. There are many more steps one might take. But it sounds like from the way PM was cracked, it was almost a giveaway.

If you want to discuss having more secure passwords here, then can we talk about having more than 8 characters in our passwords? But a chain is only as strong as its weakest link, and it seems that even the weakest of passwords belonging to users here may not have been the weak link in this case.

Blessings,

~Polyglot~

Replies are listed 'Best First'.
A reply falls below the community's threshold of quality. You may see it by logging in.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://785345]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chilling in the Monastery: (5)
As of 2024-03-29 13:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found