Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

It's Time for Everyone to Change Passwords!

by toma (Vicar)
on Jul 29, 2009 at 08:28 UTC ( #784158=monkdiscuss: print w/ replies, xml ) Need Help??

And, if you use the same password on other sites, change your password there, also.

The site has been hacked. After you change your password, your new password might be vulnerable to anyone who happens to know the hack that made the current passwords available, so plan on changing it again.

The good news is that if you aren't a janitor and aren't in Saints in our Book your password was *not* disclosed to the general public, as far as anyone here can tell. I would change it anyway, what the heck. See your profile page to change your password.

It should work perfectly the first time! - toma

Comment on It's Time for Everyone to Change Passwords!
Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 29, 2009 at 08:37 UTC
    change mine please, its been a while since I logged in, I think I lost it. I'm vroom, can you change it to mooorv?
Re: It's Time for Everyone to Change Passwords!
by virtualsue (Vicar) on Jul 29, 2009 at 08:46 UTC
    I suggest that this also be announced on the front page of the site. Even better: a small but noticeable banner which appears on all pages for the next week or so.

    Update: Now I hear that the 'leak' is not fixed, hence I think the site should really be taken down until that happens. Once the site is secure again, bring it up. Not a lot of point in telling everyone to change their passwords if intruders can still view them.
      Not a lot of point...

      Yet, for those who have used the same password on multiple sites, it is better that they change them to something unique, particularly if the new one will be compromised.

      It is currently front-paged, but this is not sufficient; your banner idea sounds like a good one. I don't normally enter through the Monastery Gates, but instead jump directly to SOPW, as that's where everything that interests me tends to be found. If not for a chatterbox mention of passwords being published, I would not be aware of this.

      Voting up the announcement to get it into daily/weekly best would also help with getting the word out, but a site-wide banner would probably be the most effective way to do it.

Re: It's Time for Everyone to Change Passwords!
by Ovid (Cardinal) on Jul 29, 2009 at 08:48 UTC

    Everyone should change their passwords. Just because your password wasn't published (I was very tempted to post the link), doesn't mean that someone doesn't have it. Fortunately, a couple of years ago I started getting more concerned about security and I considered Perlmonks a "low-risk" site (in terms of whether or not I care about a compromise), so I deliberately switched this password to an unique easy-to-remember one (pineappl, if you're curious). It's now changed to something far stronger, but it's another throwaway password. I assume that things like this will recur. It's safer that way.

Re: It's Time for Everyone to Change Passwords!
by Khen1950fx (Canon) on Jul 29, 2009 at 09:02 UTC
    I had my identity stolen twice back in 1999 when I was using Windows. I got rid of Windows, and I've used Fedora exclusively since then. All my passwords are throw-away with no connection to any personal information at all. I make it a point not to give out my SSN, address, birthday, phone number, etc., over the internet or over cordless phones or cell phones. If they really want my nodes here that bad, then I give them to them. Take my nodes, please!:-)
Re: It's Time for Everyone to Change Passwords!
by ig (Vicar) on Jul 29, 2009 at 09:11 UTC

    I suggest everyone's password be randomized. Users can then have their new passwords emailed to themselves. This will be much quicker than waiting for everyone to get the message and reset their own passwords.

    And an email to all users, to reach those who might otherwise not login and learn of the breach any time soon. Some of them might want to reset passwords elsewhere.

      Not only that, but there are also people who haven't been to perlmonks for quite some time (perhaps with the intent to never return). I guess we don't have those accounts to be misused either.
      I suggest everyone's password be randomized.

      There is a danger in that, because several people (especially users with old accounts) will not have updated their email address and will therefore not receive their new password. Despite that, I strongly support this suggestion, dealing with people who have lost access is going to result in a lot less pain than having malicious kiddies logging onto overlooked accounts for months to come.

      Also, I think virtualsue is absolutely right, take the site down now and don't put it back up until it's running on a known-clean machine.


      All dogma is stupid.
      A nice-to-have feature would be a "gimme a new random password and instantly send me a reminder" button on the settings page where the password gets changed.

      In fact, I'm sure that's what the "I forgot my password" button does - maybe all we need to do is make that button easier to find for a logged-in user.

      Which reminds me, it's not obvious where "Change password" is - I wandered around my profile for a while before finding it.


      Mike
        Exactly, I agree on this. That button is not really easy to find... It is bad that somebody wanted to neutralize our place of refuge :(... I did not know of this until I glanced through the chatterbox too
        Excellence is an Endeavor of Persistence. Chance Favors a Prepared Mind

        The password reminder (as I used it yesterday) doesn't set a new password. It sends current password in an email.

        If the passwords were encrypted, as they should be, then the current password reminder function would not be possible.

        If a password reset ability is provided to unauthenticated users (those who have forgotten their passwords can't authenticate) this function can be abused to interfere with legitimate access. Any unauthenticated user can request a password reset for any other user, as long as they know whatever is used to specify the account (typically a login ID or email address).

        This risk can be mitigated by having the password reset function set a new additional password if the user is unauthenticated, without invalidating the current password. Only if the user is currently authenticated should the password reset function invalidate previous passwords. This presumes an authentication system that supports multiple concurrent passwords.

        Security can be improved by setting a short expiry and limiting the number of uses of the password set by the password reset function available to unauthenticated users.

        If the new passwords are distributed by email, then the user accounts are only as secure as the email delivery system. Ideally, the system would support but not require encrypted email for new password distribution.

Re: It's Time for Everyone to Change Passwords!
by ig (Vicar) on Jul 29, 2009 at 09:11 UTC

    duplicate, sorry... I suggest everyone's password be randomized. Users can then have their new passwords emailed to themselves. This will be much quicker that waiting for everyone getting the message to reset their own passwords.

Re: It's Time for Everyone to Change Passwords!
by mzedeler (Pilgrim) on Jul 29, 2009 at 09:32 UTC

    Are we sure that perlmonks.org isn't still compromised? If we haven't gone through the motions closing all security holes and reinstalling on a fresh OS, it doesn't make much sense to ask people to change their passwords at perlmonks.org.

Re: It's Time for Everyone to Change Passwords!
by salva (Abbot) on Jul 29, 2009 at 11:12 UTC
    It is likely that some people used the same password/login combination in other Perl related forums (i.e. use.perl, CPAN, rt, etc.).

    As the list of passwords seems to be publicly available now, would it make sense to also check the user accounts on this sites and take the required measures to disable the ones found to be compromised?

    At least, can we make a list of Perl relates sites users should check just in case they reused the Perlmonks password there?

      the site is 404 now and i found only one public mirror so far.
      however the hack is a few months old already : Fri Apr 15 13:34:52 2005

      btw interesting new user : 784161

      update: while the date was wrong (can't believe i misread this) the hack is still a few months old
        however the hack ia few month old already : Fri Apr 15

        I'm guessing, but from comments in the CB I've gathered that the server that was hacked was an old machine, which is still up but no longer in active use. So the hack might very well be more recent, with only older information being disclosed.


        All dogma is stupid.

        Please note: The April 15, 2005 date is the output of a uname command. The list of saints includes users who did not exist in 2005 and/or people who were only added to the Saints list at the end of April, 2009. This is a recent hack.

        Best, beth

        that particular output of uname is the kernel version, IE when it was compiled. uname doesn't output the current date.
        It's still out there, now mirrored in several places (not by me, but others). Since PerlMonks is still up and running, some must think there's no risks remaining. In the interest of full disclosure here's the *TEXT ONLY* of the posting:
        There is a really simple reason we owned PerlMonks: we couldn't resist more than 50,000 unencrypted programmer passwords.

        That's right, unhashed. Just sitting in the database. From which they save convenient backups for us.

        Believe it or not, there is actually debate at perlmonks about whether or not this is a good idea. Let's just settle the argument right now and say it was an idea that children with mental disabilities would be smart enough to scoff at. We considered patching this for you but we were just too busy and lazy. I'm sure you can figure it out yourselves.

        This isn't a bad set of passwords, either. Programmers have access to interesting things. These Perl guys are alright, just a little dumb apparently. A lot of them reuse. You can explore them yourselves, I really do not want to point out anyone in particular.

        ...

        In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?

        Not worth our time ;)

Re: It's Time for Everyone to Change Passwords!
by kyle (Abbot) on Jul 29, 2009 at 12:13 UTC

    In light of this, I think it would be a good time to update Changing your password to reflect how the "edit your user information" link has moved. It's no longer at the bottom on the left. Rather, it's at the top, and it's called "Profile" now.

      Done. Thanks, kyle!

      HTH,

      planetscape
Re: It's Time for Everyone to Change Passwords!
by moritz (Cardinal) on Jul 29, 2009 at 13:07 UTC
    How hard would it be only stored hashed (+salted) passwords in future? At least then the worries about other accounts with same or similar passwords would be gone if such a thing happened again.
      This ought to be a top priority. Really, if a user posted a question here about storing passwords, I'd be telling them they shouldn't be allowed near the passwords if they don't see the importance of at least hashing them. I'm very, very surprised that a technical site like PM doesn't do this already.

      It shouldn't be a question of how hard, rather it should be a question of when. Given the large number of nodes discussing exactly this, many with advice from the gods, I have no doubt a sane security policy can be put in place.

      The real questions are:

      • When?
      • How will the users be informed?

      I actually had to explain to the admins on here this morning why hashed passwords might be a good idea. We are so hosed.
No, it's time for everyone's exposed passwords to be changed by admins
by Your Mother (Canon) on Jul 29, 2009 at 15:32 UTC

    There are *many* users on the saints page who haven't logged in in years, or won't log in soon. Janitors or Gods need to bulk change them all and send an email or special instructions for recovery to all affected users.

    (I understand these things happen and I'm not particularly worried. Just want the right solution.)

Re: It's Time for Everyone to Change Passwords! (changed)
by tye (Cardinal) on Jul 29, 2009 at 21:14 UTC

    All of the published passwords have been changed. Most of the parties involved have been e-mailed about this (still fighting anti-spam measures to get the remaining e-mails out) both at their prior e-mail address and their new e-mail address (if their e-mail address was recently changed).

    Sorry, I've spent a lot of time working on this already and don't have time to compose a long notice about details or plans, most of which have been published by other people already anyway.

    Sorry for the inconvenience and thanks for your patience.

    - tye        

      I looked through a bunch of the posts, and did not see the issue brought up or addressed, but what if my email was changed a while back and I never got around to updating it on perlmonks as I don't frequent the site very often anymore. It has obviously been changed.

      So without being able to know which email it went to, and not being able to change the email it should go to, what is my next step, if i don't wish to create a new account.

      Looks like I am one of the affected and the email got lost. Could you try to send it again to my CPAN email once you have a moment? No rush. I'm not sure what, if any, email address do I have on file on Perlmonks.

      Thanks, Jenda@CPAN.org

        Got it, thanks!

        Jenda
        Enoch was right!
        Enjoy the last years of Rome.

      I've been effected and the password retrieval tool either doesn't seem to be working or my email address has been changed. No biggie. Could you email my new password to "will at silent11 dot com" or Direct Message me using the twitter handle located on my profile page?

      Thanks.


      silent11
        Disregard the above message. If the crackers hadn't of posted everyone's email address I wouldn't have know what address to send my new password to.
      All of the published passwords have been changed.

      Thanks for that, and also for the fact that the page that does "send a password reminder for my perlmonks account to my email address" worked just fine.

      I'm glad to be back.

Re: It's Time for Everyone to Change Passwords!
by sutch (Curate) on Jul 29, 2009 at 22:32 UTC
    This must be a promotional gimmick to get PerlMonks that moved to Ruby to come back to the PerlMonks site!
Re: It's Time for Everyone to Change Passwords!
by Argel (Prior) on Jul 30, 2009 at 00:08 UTC
    FWIW, I don't think I ever received an email but obviosuly found about it when I lost my Perl-Blue theme. My eyes!!! (^_^)

    Is there a place with more details, such as where our information was published? I'm interested in knowing where my information was exposed.

    Elda Taluta; Sarks Sark; Ark Arks

Re: It's Time for Everyone to Change Passwords!
by Lawliet (Curate) on Jul 30, 2009 at 05:17 UTC
    The good news is that if you aren't a janitor and aren't in Saints in our Book your password was *not* disclosed to the general public

    And here I was celebrating the fact I finally made it to Saint status >.>

    I don't mind occasionally having to reinvent a wheel; I don't even mind using someone's reinvented wheel occasionally. But it helps a lot if it is symmetric, contains no fewer than ten sides, and has the axle centered. I do tire of trapezoidal wheels with offset axles. --Joseph Newcomer

Re: It's Time for Everyone to Change Passwords!
by Skeeve (Vicar) on Jul 30, 2009 at 06:27 UTC

    Don't give to many hints!

    I suggest to take the Saints in our Book page down or at least remove the information when a user last logged in. It might not be a big issue, but seeing that someone didn't log in for 46 weeks now implies that he might not know of his published password and so odds are better that his password is still valid on other sites.


    s$$([},&%#}/&/]+}%&{})*;#$&&s&&$^X.($'^"%]=\&(|?*{%
    +.+=%;.#_}\&"^"-+%*).}%:##%}={~=~:.")&e&&s""`$''`"e
      I see that blazar (who died in late 2008, I believe) logged in 12 hours ago ... which is a bit unsettling.
      Who is going to change his password ?

      Cheers,
      Rob
      Update: I see that new passwords have been allocated to anyone who hadn't made a change ... I think this will probably take care of the matter.
        Oops. Having the same ugly impression that some none saint accounts are being used by impersonators. :-(

        With kind regards.
        ddn123456
        my other account Courage, which is actually my favourite, (and "officially "approved) is also seemingly compromised - I can't login, and it was in saints...
        mailing the password does not work, I guess my email was changed?

        OMG... what to do??

        OMG, I completely missed that post! The the thread is Sad news. How tragic!! (T_T)

        Elda Taluta; Sarks Sark; Ark Arks

Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 30, 2009 at 15:05 UTC
    Well, shoot. The password my browser remembers doesn't work, every password I think is likely for me to have used doesn't work, and the password reminder is probably going to a defunct email address. Any suggestions on what I can do? I'm scain if it matters.
Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 30, 2009 at 20:52 UTC
    All I say - they won
    • long time already PM site has long responce time... it was periodically explained that this is due to some attacks which results in overloading the servers.
      Anyway, long responce make users of site to go away
    • all the stupid HTML tags also makes me sad... people all over the world has convenient typing system, and only here I must enter <p><br><i>stupidity
    • and now this password stealing - and they seemingly changed passwords of many users

    sad, all is sad.
    It is obvious that gods are devoting their own time and deserve applauses, not criticizing.
    they do improvements, but these improvements are often too backward-compatible, or awkward-compatible.
    And the result is - typesetting is awkward and obsolete, the site is succesfully attacked over a long time already...
    enemies won :(

      all the stupid HTML tags also makes me sad... people all over the world has convenient typing system, and only here I must enter <p><br><i>stupidity

      I prefer the HTML markup and find it very convenient. What other typing systems are you referring to? BBCode?

      I don't mind occasionally having to reinvent a wheel; I don't even mind using someone's reinvented wheel occasionally. But it helps a lot if it is symmetric, contains no fewer than ten sides, and has the axle centered. I do tire of trapezoidal wheels with offset axles. --Joseph Newcomer

        I was referring to markup widely accepted in wiki. stripped HTML markup is hard to type.

        (yes, that anonymous person above was me :) )

Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 30, 2009 at 23:23 UTC
    It seems I've been affected. My password no longer works and the "password reminder" does not send me any emails. What do I do?

    user = mifflin

Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Aug 01, 2009 at 15:58 UTC
    Was eric256, email address xxxxxx@gmail.com, that should have been changed to xxx.yyyy@gmail.com If someone could change and resend my password I would appreciate it.

    20090811 Janitored by Corion: Redacted email addresses

      All set. Thanks.


      ___________
      Eric Hodges
        Do you want your email address to be public now?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: monkdiscuss [id://784158]
Approved by Corion
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (11)
As of 2014-12-19 14:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (83 votes), past polls