comment on

I understand your concern, but consider some things here. If someone can sniff your password the one time it's sent through email, they can sniff it every time you log in via unencrypted HTTP. If your email is being read by your ISP while it's on the server for the purposes of breaking into your Perlmonks account, then you should find an ISP with more work for its employees and a better code of ethics. If you're concerned that Pair is reading the mail sent by PerlMonks, then you shouldn't trust the server they are providing.

The only weak links left are the PerlMonks staff, whom you would seem to trust not to log in as you to mess with your data (and they could do the latter without need of the former if they were that sort) and your own security on your own systems (in which case your password could just be keylogged anyway).

Even with hashed passwords, someone who downloads the whole database without being noticed will have plenty of time to brute-force a few passwords out of it before all the passwords get changed. That's only a concern, though, if they actually choose to use the existing passwords rather than setting their own or just updating the contents of nodes directly.

I don't mean to dismiss or belittle your security concerns. Short of a server-wide breach of the sort that already famously happened, hashing passwords in the database adds little to security in the context in which PerlMonks is used. That context needs to be considered when assessing risk.

Don't use a password you're not willing to give up to some black hats who have an interest in it when you're sending it across a global network unencrypted. Why your particular PerlMonks password would be of interest to any black hats is beyond me, unless you also use it for banking or for proprietary computer systems at work. You're not exactly a bigshot admin at PM. Anyone who wants to post abusive drivel or spam that doesn't feel the need to impersonate you for that purpose can do that with no account or password anyway. Being a security advocate, you don't use your credentials across various systems owned and operated by various parties, do you?

The only other reason I can fathom for anyone but you to want your specific credentials is for reasons of harassing you personally and specifically, or to frame you for a crime. You probably don't have enemies who have both that kind of determination and the requisite skills. PerlMonks would be an odd sort of site to choose before something like a local news discussion site where people you actually know in real life might be more likely to read anyway.

Finally, as the admins have already announced (Status of Recent User Information Leak) that they plan on implementing hashing, any more talk about the feature that isn't furthering or announcing that implementation is pretty easily categorized as glue factory material.

In reply to Re: Passwords not being hashed? by mr_mischief
in thread Passwords not being hashed? by Massyn

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.