in reply to Re^2: Status of Recent User Information Leak
in thread Status of Recent User Information Leak

There seem to be an awful lot of overreactions going on here. Breakins happen from time to time. Storing the passwords cleartext is embarassing, sure, but it was probably considered handy for mailing passwords to people back in 1996 or whatever.

Also, hashing the passwords does not make them that much safer. Are you talking md5/sha1 hmac stuff like the Linux shadow files? Well, a few hours with john will get you a huge majority of the passwords I imagine, even with salts. And for the patient (or the botnet operator), even the really good ones will be discovered in relatively short order.

Pfft, I say. This is why you should use a randomly generated unique password on each site.

It doesn't really have anything to do with Perl or the Perl community either. I imagine the everything 2 engine has crypted passwords -- I don't really know that, I just imagine. Probably this was a bad design decision unique to this particular e2 site.

I'd guess more forum sites store passwords cleartext than don't though, doesn't really matter what language. It was really common to send your clear text password over cleartext email when you clicked "forgot password." A lot of sites changed this behavior, for good reasons, but a lot didn't. It's historical, not a Perl-the-language problem.

Basically, people were just too lazy to change it, because that's how it's always been.

-Paul

  • Comment on Re^3: Status of Recent User Information Leak

Replies are listed 'Best First'.
Re^4: Status of Recent User Information Leak
by Argel (Prior) on Aug 02, 2009 at 18:37 UTC
    There seem to be an awful lot of overreactions going on here. Breakins happen from time to time.
    It's true that break-ins happen but I think a couple things make this different:
    1. With identity theft such a big deal these days and considering how much more hostile the Internet is (organized crime using botnets, etc.) the reaction is going to be stronger.
    2. Considering how many times people have told new Monks not to use clear text passwords, not to use weak algorithms, etc. I think many assumed this site was practicing what it preached.
    3. There is a difference between being told your account was hacked and finding out your information was published.
    4. And finally there is a huge difference between being told it was hacked and actually seeing your information listed in a hacker ezine!! There is nothing abstract about it after that!

    I will close with a quote from this blog entry:

    As a Perl developer, and CPAN author, this is a bit concerning. First, it would be one issue if this were just some random group of people whose passwords had been hacked, but this is a database of tens of thousands of developers, probably most with root access to the machines they write code on, and according to the hackers, many using passwords that are being re-used elsewhere. These are the passwords of developers like Chromatic, Brian D Foy, Andy Lester, engineers at major corporations and government entities, and more. The hackers couldn’t have picked a worse server to crack and expose.

    I think it's for reasons like these that there has been such a strong reaction.

    Update 2009-08-06: Looking at the ezine again I can add two more reasons. The hackers specifically stated that they "couldn't resist so many clear text passwords" (paraphrased) and that "several Monks reuse their respective passwords" (paraphrased). That indicates that non-PerlMonk accounts have been accessed. And as previously mentioned, keep in mind the breach occured over two months before it was discovered.

    Elda Taluta; Sarks Sark; Ark Arks
[reply]
      I think many assumed this site was practicing what it preached.

      It is alive now? And managed by all 50,000 members? ...

[reply]
        Amazing! I was all ready to be persuaded by Argel's comments, but then I saw your post and with only two rhetorical questions you managed to convince me to completely disregard Argel's comments.

        NOT! (if that's too old skool you can subs "FAIL" instead, troll)

[reply]
Re^4: Status of Recent User Information Leak
by Anonymous Monk on Aug 02, 2009 at 06:40 UTC
    Also, hashing the passwords does not make them that much safer. Are you talking md5/sha1 hmac stuff like the Linux shadow files? Well, a few hours with john will get you a huge majority of the passwords I imagine, even with salts.

    Absolutely, they had access to all the code base.

    Probably this was a bad design decision unique to this particular e2 site.

    I just checked, it is the default in the codebase. Maybe other sites wrote updates, but they haven't made it back to sourceforge.

[reply]

In Section Perl Monks Discussion