Re^2: What happened?

What really worries me is that the attackers claim that the passwords were stored UNENCRYPTED. We tell each and every wannabe-coder to salt and encyrpt passwords, and the perlmonks code doesn't? If that is true, the monastery has a really big problem, and just changing our passwords once or twice, as advised in It's Time for Everyone to Change Passwords!, is just trying to cure the symptoms.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Comment on Re^2: What happened?

Replies are listed 'Best First'.
Re^3: What happened? by jrsimmon (Hermit) on Jul 29, 2009 at 15:25 UTC
Evidently they were stored plain text. Until someone updates the users that the breach has been closed and the passwords are actually being stored in a sane manner, you should expect that people who care to do so have full access to your profile.	[reply]
Re^4: What happened? by Juerd (Abbot) on Jul 29, 2009 at 15:35 UTC
Yes, but still people should change their passwords now. And again when the problems have been fixed. If your password is listed, anyone can use your password to change your posts, or worse: change your password so you can't change it yourself, later. If you change it now, your new (temporary) password would still be stored in clear text, on a possibly insecure host (although apparently the passwords were stolen from a disused server), but getting it would require significant effort as opposed to just reading a magazine that has probably been copied over a million times already.	[reply]
Re^5: What happened? by Anonymous Monk on Jul 30, 2009 at 03:23 UTC
users who havent logged into perlmonks in over a year should have their passwords changed by gods	[reply]