Update 2/16: castaway patched the system. At least now it's not sent back in plain text. Encrypted would be nice, but it is a huge step in the right direction. Thanks castaway! You can hate me now for using so much bold. :)

I wandered over to the perlmonk user editor page, to post my pic (hi maw!), and discovered that my password is prepopulated. This in part scares me for 2 reasons.

Prepopulating it means that it's easy access for anyone who knows how to form a url and post/get it. That being said, I wouldn't be surprised if a broken JS implementation (or a good one) was developed so that the user page could be loaded in a minimal iframe, or one in the lower bounds of the page, and someone create a malicious form to steal the password. I know that some monks have cute forms that post stuff to the chatterbox, what would happen if a user clicked something cute that did the same for passwords?

Also, what if the page gets cached somewhere? It worries me as there have been viruses in the past that have stolen user cookies, so why not cached pages as well? Since it is in plain text and downloaded from the browser, I'd wager the risk of it being stored someplace more permanent being higher. I know that PM is a non-https site, so we do send our passwords in plaintext as well, but printing it to the page for prepopulation of the form kinda freaks me out a little.

Finally, why are passwords stored in plain text? Shouldn't they be crypted (unix,md5,something) in some form? I know, perlmonks is a community site, but it's a site none the less, which can be broken into. And knowing us all, we reuse usernames and passwords. What if a rogue developer or a cracker got into the site? No need to make their lives easier, right?

I'm just concerned. I know the dev team has a lot to deal with, with server upgrades and performance enhancements. It'd be cool to see this addressed as it is a genuine security concern of mine.

Update fixed title and this: Someone said that the view isn't that it's not like it's we store CC's here. That's fine and all, but this is a real site that gets how many people hitting the site? I directed a friend of mine who is security-wise, a yutz, but a smart guy none-the-less. Does it mean I have to go and tell him, "I'm sorry I directed you there, but if someone one day exploits the site, they'll get your password. you should really change it.."? A user's password is also a valuable thing belonging to someone, and as a site owner who has run sites before, I've been expected to hold the same view, just as slashdot or other sites are expected to do. Even a warning, "your password is stored in plain text" is a step up from what is currently implemented. :(

peace,
-s


Play that funky music white boy..

In reply to User Editor Page and clear text passwords by exussum0

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.