Re^3: Status of Recent User Information Leak

Instead of criticizing the admins and debating whether they have neglected a security aspect we should be glad that they could bear the hassle of running this free site and all the bedeviling shots that come along, without PM all of us would be punching in the dark sometime somewhere to get a certain code working

There is no question that the site bears some useful purpose. But such a fundamental mistake as to directly expose plain-text passwords absolutely deserves strong criticism.

Only a few months ago I stood my ground (through a protracted potentially career-limiting argument) with a project manager about salting passwords used for a website I was involved with the creation of. He didn't get it because he wasn't technical. The Admins of this site, however, should have "got it".

I can no longer post to this site using my original user name as my e-mail address has been published and could well be used to infer projects I am involved with. However that's inconvenient, not unforgivable, as hacks happen. Having to change other sites' passwords as a result of plain text leaks, however, is intolerable.

Comment on Re^3: Status of Recent User Information Leak

Replies are listed 'Best First'.
Re^4: Status of Recent User Information Leak by Your Mother (Archbishop) on Aug 05, 2009 at 05:08 UTC
I've said before that I agree it was a bush-league mistake and it would be nice to see the site practice what we all preach but I'm getting sick of critiques like yours because they're all fundamentally flawed. As every sign-in on this site is under http and not https your password is sent as clear text regardless of how it happens to be stored on the site. It's inherently insecure. (update: noticed parv, and others, brought this up already.)	[reply]
Re^4: Status of Recent User Information Leak by Anonymous Monk on Aug 05, 2009 at 01:40 UTC
directly expose plain-text passwords What do you mean by directly expose?	[reply]


Think about Loose Coupling
	PerlMonks