Passwords not being hashed?

Hi monks

I've been playing with a Firefox plug-in to encrypt my passwords, which I messed up, and I've just requested to have my password reset, and I was surprised to see my actual password being emailed to me. This means that my password is stored in clear text in the Perlmonks database.

As a security advocate, these kinds of observations make me somewhat nervous.

You may recall a recent scare where some Perlmonks passwords got out onto the web. This makes me think that an overhaul of the Perlmonks security module should be in order.

It will be a trivial task to hash the passwords in the database with MD5 or even better SHA1, so that the clear text password is never known to anyone except the account holder. Should a password reset be required, reset the password, and email a unique key.. Also something that is not difficult to do..

Lastly, I would like to see the use of OpenID, or technologies like the Yubikey for authentication. It is not difficult to implement, and I think that as a community we need to show that we are capable of running a well managed system.

Happy new year to all..

Massyn

Comment on Passwords not being hashed?

Replies are listed 'Best First'.
Re: Passwords not being hashed? by Argel (Prior) on Jan 11, 2010 at 22:12 UTC
It's been six months since the people running PerlMonks found out about the security breach (because the hackers published user info for everyone in the Saints in our Book). It's pretty unrealistic to expect any changes anytime soon and even less realistic to hope for e.g. OpenID support. And to be honest, the Perl community would likely be better served if time and energy was devoted to migrating PerlMonks to an easier to maintain platform at this point vs. continuing to make enhancements to the current codebase. Elda Taluta; Sarks Sark; Ark Arks	[reply]
Re: Passwords not being hashed? by Anonymous Monk on Jan 09, 2010 at 07:50 UTC
Status of Recent User Information Leak	[reply]
Re: Passwords not being hashed? by mr_mischief (Monsignor) on Jan 16, 2010 at 09:13 UTC
I understand your concern, but consider some things here. If someone can sniff your password the one time it's sent through email, they can sniff it every time you log in via unencrypted HTTP. If your email is being read by your ISP while it's on the server for the purposes of breaking into your Perlmonks account, then you should find an ISP with more work for its employees and a better code of ethics. If you're concerned that Pair is reading the mail sent by PerlMonks, then you shouldn't trust the server they are providing. The only weak links left are the PerlMonks staff, whom you would seem to trust not to log in as you to mess with your data (and they could do the latter without need of the former if they were that sort) and your own security on your own systems (in which case your password could just be keylogged anyway). Even with hashed passwords, someone who downloads the whole database without being noticed will have plenty of time to brute-force a few passwords out of it before all the passwords get changed. That's only a concern, though, if they actually choose to use the existing passwords rather than setting their own or just updating the contents of nodes directly. I don't mean to dismiss or belittle your security concerns. Short of a server-wide breach of the sort that already famously happened, hashing passwords in the database adds little to security in the context in which PerlMonks is used. That context needs to be considered when assessing risk. Don't use a password you're not willing to give up to some black hats who have an interest in it when you're sending it across a global network unencrypted. Why your particular PerlMonks password would be of interest to any black hats is beyond me, unless you also use it for banking or for proprietary computer systems at work. You're not exactly a bigshot admin at PM. Anyone who wants to post abusive drivel or spam that doesn't feel the need to impersonate you for that purpose can do that with no account or password anyway. Being a security advocate, you don't use your credentials across various systems owned and operated by various parties, do you? The only other reason I can fathom for anyone but you to want your specific credentials is for reasons of harassing you personally and specifically, or to frame you for a crime. You probably don't have enemies who have both that kind of determination and the requisite skills. PerlMonks would be an odd sort of site to choose before something like a local news discussion site where people you actually know in real life might be more likely to read anyway. Finally, as the admins have already announced (Status of Recent User Information Leak) that they plan on implementing hashing, any more talk about the feature that isn't furthering or announcing that implementation is pretty easily categorized as glue factory material.	[reply]
Re: Passwords not being hashed? by Anonymous Monk on Jan 09, 2010 at 07:54 UTC
Adding to the wishlist, it would be nice if perlmonks switched to utf-8	[reply]