Do you remember what happened today, 10 years ago?

No, not my first posting, that was a little bit earlier, still as Anonymous Monk. (Probably this one.)

Also not my first posting as afoken, also a little bit earlier.

So, what happened?

What happened? happened.

Some script-kiddie has demonstrated that storing passwords in plain text was (and still is) a pretty stupid idea. Caught perlmonks with pants down.

Promises were made:

Closing the Hole

PerlMonks admins are working with the Pair.com folks (who manage our hardware and connectivity resources) to evaluate and strengthen security on the servers. No information is available at this time as to the status of this effort.

Strengthening Authentication

The administrators are planning to implement hashed passwords (allowing more than 8 chars).

Now guess the current state. Or, just test it: Enter your user name into What's my password?. Click the submit button. Open your mail box.

This is what I received:

From: vroom@perlmonks.org
Subject: Password Mail
Date: Mon, 29 Jul 2019 12:46:51 -0400
X-Mailer: Perl script "index.pl"
        using Mail::Sender 0.8.10 by Jenda Krynicky, Czechlands
        running on perlmonks.com (216.92.34.251)
        under account "root"
Message-ID: <20190729_164651_081604.vroom@perlmonks.org>

Hey there.
You or someone else has requested a password for your username or e-mail
address.
Before you freak out, take a few deep breaths and remember that it's YOU
and not THEM who is getting this password.

Here's your info:

username: afoken
passwd: *** DELETED FROM THE MAIL BODY ***
human name: Alexander Foken

love, the management
http://perlmonks.org/

CONGRATULATIONS!

Perlmonks' pants are still down, ten years later.

See also:

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re: It's been ten years ...
by haj (Vicar) on Jul 29, 2019 at 19:24 UTC

    This is indeed scary, and should not be too difficult to fix.

    I volunteer to look into that. Where's the code repository for the PerlMonks software?

[reply]
      There is no codebase. There only is a database that has code in it.


      holli

      You can lead your users to water, but alas, you cannot drown them.
[reply]
[d/l]
      We've discussed it already so many times.

      Perlmonks can't mail you the password if it's one-way encrypted.

      Best is to stick with a randomly generated password and to store it into your browser or password manager.

      When forgotten get it mailed to you.

      > and should not be too difficult to fix.

      This would imply adjusting the What's my password? mechanism too.

      Cheers Rolf
      (addicted to the Perl Programming Language :)
      Wikisyntax for the Monastery FootballPerl is like chess, only without the dice

      PS: And no, in my private scratch pad you'd neither find my credit card nor my email passwords nor the number of the Russian officer who's handling agent orange in the white house.

      I keep such information exclusively to myself and twitter.

[reply]
        Lanx writes:
        This would imply adjusting the What's my password? mechanism too.

        Yes, of course. You can improve easily by creating a fresh random password and mailing that to the user, and then store it encrypted. After all, they forgot their password, right?

        This is still bad security practice, though, as plain text email isn't actually secure. With a bit more effort you can get a decent self-service password reset function. This has been done before, it isn't rocket surgery.

[reply]

Back to Perl Monks Discussion