Re: It's Time for Everyone to Change Passwords!
by Ovid (Cardinal) on Jul 29, 2009 at 08:48 UTC
|
Everyone should change their passwords. Just because your password wasn't published (I was very tempted to post the link), doesn't mean that someone doesn't have it. Fortunately, a couple of years ago I started getting more concerned about security and I considered Perlmonks a "low-risk" site (in terms of whether or not I care about a compromise), so I deliberately switched this password to an unique easy-to-remember one (pineappl, if you're curious). It's now changed to something far stronger, but it's another throwaway password. I assume that things like this will recur. It's safer that way.
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by virtualsue (Vicar) on Jul 29, 2009 at 08:46 UTC
|
I suggest that this also be announced on the front page of the site. Even better: a small but noticeable banner which appears on all pages for the next week or so.
Update: Now I hear that the 'leak' is not fixed, hence I think the site should really be taken down until that happens. Once the site is secure again, bring it up. Not a lot of point in telling everyone to change their passwords if intruders can still view them. | [reply] |
|
Not a lot of point...
Yet, for those who have used the same password on multiple sites, it is better that they change them to something unique, particularly if the new one will be compromised.
| [reply] |
|
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by ig (Vicar) on Jul 29, 2009 at 09:11 UTC
|
I suggest everyone's password be randomized. Users can then have their new passwords emailed to themselves. This will be much quicker than waiting for everyone to get the message and reset their own passwords.
And an email to all users, to reach those who might otherwise not login and learn of the breach any time soon. Some of them might want to reset passwords elsewhere.
| [reply] |
|
I suggest everyone's password be randomized.
There is a danger in that, because several people (especially users with old accounts) will not have updated their email address and will therefore not receive their new password. Despite that, I strongly support this suggestion, dealing with people who have lost access is going to result in a lot less pain than having malicious kiddies logging onto overlooked accounts for months to come.
Also, I think virtualsue is absolutely right, take the site down now and don't put it back up until it's running on a known-clean machine.
| [reply] [d/l] |
|
Not only that, but there are also people who haven't been to perlmonks for quite some time (perhaps with the intent to never return). I guess we don't have those accounts to be misused either.
| [reply] |
|
A nice-to-have feature would be a "gimme a new random password and instantly send me a reminder" button on the settings page where the password gets changed.
In fact, I'm sure that's what the "I forgot my password" button does - maybe all we need to do is make that button easier to find for a logged-in user.
Which reminds me, it's not obvious where "Change password" is - I wandered around my profile for a while before finding it.
| [reply] |
|
The password reminder (as I used it yesterday) doesn't set a new password. It sends current password in an email.
If the passwords were encrypted, as they should be, then the current password reminder function would not be possible.
If a password reset ability is provided to unauthenticated users (those who have forgotten their passwords can't authenticate) this function can be abused to interfere with legitimate access. Any unauthenticated user can request a password reset for any other user, as long as they know whatever is used to specify the account (typically a login ID or email address).
This risk can be mitigated by having the password reset function set a new additional password if the user is unauthenticated, without invalidating the current password. Only if the user is currently authenticated should the password reset function invalidate previous passwords. This presumes an authentication system that supports multiple concurrent passwords.
Security can be improved by setting a short expiry and limiting the number of uses of the password set by the password reset function available to unauthenticated users.
If the new passwords are distributed by email, then the user accounts are only as secure as the email delivery system. Ideally, the system would support but not require encrypted email for new password distribution.
| [reply] |
|
|
|
|
|
|
|
| [reply] [d/l] |
Re: It's Time for Everyone to Change Passwords!
by moritz (Cardinal) on Jul 29, 2009 at 13:07 UTC
|
How hard would it be only stored hashed (+salted) passwords in future? At least then the worries about other accounts with same or similar passwords would be gone if such a thing happened again. | [reply] |
|
This ought to be a top priority. Really, if a user posted a question here about storing passwords, I'd be telling them they shouldn't be allowed near the passwords if they don't see the importance of at least hashing them. I'm very, very surprised that a technical site like PM doesn't do this already.
| [reply] |
|
It shouldn't be a question of how hard, rather it should be a question of when. Given the large number of nodes discussing exactly this, many with advice from the gods, I have no doubt a sane security policy can be put in place.
The real questions are:
- When?
- How will the users be informed?
| [reply] |
|
I actually had to explain to the admins on here this morning why hashed passwords might be a good idea. We are so hosed.
| [reply] |
|
None of the admins doubt that hashed passwords are a good idea, so I have no idea what you are talking about.
| [reply] |
|
|
|
Re: It's Time for Everyone to Change Passwords!
by kyle (Abbot) on Jul 29, 2009 at 12:13 UTC
|
In light of this, I think it would be a good time to update Changing your password to reflect how the "edit your user information" link has moved. It's no longer at the bottom on the left. Rather, it's at the top, and it's called "Profile" now.
| [reply] |
|
| [reply] |
Re: It's Time for Everyone to Change Passwords! (changed)
by tye (Sage) on Jul 29, 2009 at 21:14 UTC
|
All of the published passwords have been changed. Most of the parties involved have been e-mailed about this (still fighting anti-spam measures to get the remaining e-mails out) both at their prior e-mail address and their new e-mail address (if their e-mail address was recently changed).
Sorry, I've spent a lot of time working on this already and don't have time to compose a long notice about details or plans, most of which have been published by other people already anyway.
Sorry for the inconvenience and thanks for your patience.
| [reply] |
|
| [reply] |
|
I looked through a bunch of the posts, and did not see the issue brought up or addressed, but what if my email was changed a while back and I never got around to updating it on perlmonks as I don't frequent the site very often anymore. It has obviously been changed.
So without being able to know which email it went to, and not being able to change the email it should go to, what is my next step, if i don't wish to create a new account.
| [reply] |
|
Looks like I am one of the affected and the email got lost. Could you try to send it again to my CPAN email once you have a moment? No rush. I'm not sure what, if any, email address do I have on file on Perlmonks.
Thanks, Jenda@CPAN.org
| [reply] |
|
Got it, thanks!
Jenda
Enoch was right!
Enjoy the last years of Rome.
| [reply] |
|
I've been effected and the password retrieval tool either doesn't seem to be working or my email address has been changed. No biggie. Could you email my new password to "will at silent11 dot com" or Direct Message me using the twitter handle located on my profile page?
Thanks.
silent11
| [reply] |
|
Disregard the above message. If the crackers hadn't of posted everyone's email address I wouldn't have know what address to send my new password to.
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by salva (Canon) on Jul 29, 2009 at 11:12 UTC
|
It is likely that some people used the same password/login combination in other Perl related forums (i.e. use.perl, CPAN, rt, etc.).
As the list of passwords seems to be publicly available now, would it make sense to also check the user accounts on this sites and take the required measures to disable the ones found to be compromised?
At least, can we make a list of Perl relates sites users should check just in case they reused the Perlmonks password there?
| [reply] |
|
the site is 404 now and i found only one public mirror so far.
however the hack is a few months old already : Fri Apr 15 13:34:52 2005
btw interesting new user : 784161
update: while the date was wrong (can't believe i misread this) the hack is still a few months old
| [reply] [d/l] |
|
that particular output of uname is the kernel version, IE when it was compiled. uname doesn't output the current date.
| [reply] |
|
Please note: The April 15, 2005 date is the output of a uname command. The list of saints includes users who did not exist in 2005 and/or people who were only added to the Saints list at the end of April, 2009. This is a recent hack.
Best, beth
| [reply] [d/l] |
|
however the hack ia few month old already : Fri Apr 15
I'm guessing, but from comments in the CB I've gathered that the server that was hacked was an old machine, which is still up but no longer in active use. So the hack might very well be more recent, with only older information being disclosed.
| [reply] [d/l] |
|
|
|
|
It's still out there, now mirrored in several places (not by me, but others). Since PerlMonks is still up and running, some must think there's no risks remaining. In the interest of full disclosure here's the *TEXT ONLY* of the posting:
There is a really simple reason we owned PerlMonks: we couldn't resist more
than 50,000 unencrypted programmer passwords.
That's right, unhashed. Just sitting in the database. From which they save
convenient backups for us.
Believe it or not, there is actually debate at perlmonks about whether or not
this is a good idea. Let's just settle the argument right now and say it was
an idea that children with mental disabilities would be smart enough to scoff
at. We considered patching this for you but we were just too busy and lazy.
I'm sure you can figure it out yourselves.
This isn't a bad set of passwords, either. Programmers have access to
interesting things. These Perl guys are alright, just a little dumb apparently.
A lot of them reuse. You can explore them yourselves, I really do not want to
point out anyone in particular.
...
In case you guys are worried, we did NOT backdoor dozens of your public Perl
projects. Honest. Why would we want to do that?
Not worth our time ;)
| [reply] |
No, it's time for everyone's exposed passwords to be changed by admins
by Your Mother (Archbishop) on Jul 29, 2009 at 15:32 UTC
|
There are *many* users on the saints page who haven't logged in in years, or won't log in soon. Janitors or Gods need to bulk change them all and send an email or special instructions for recovery to all affected users.
(I understand these things happen and I'm not particularly worried. Just want the right solution.)
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by mzedeler (Pilgrim) on Jul 29, 2009 at 09:32 UTC
|
Are we sure that perlmonks.org isn't still compromised? If we haven't gone through the motions closing all security holes and reinstalling on a fresh OS, it doesn't make much sense to ask people to change their passwords at perlmonks.org.
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by Khen1950fx (Canon) on Jul 29, 2009 at 09:02 UTC
|
I had my identity stolen twice back in 1999 when I was using Windows. I got rid of Windows, and I've used Fedora exclusively since then. All my passwords are throw-away with no connection to any personal information at all. I make it a point not to give out my SSN, address, birthday, phone number, etc., over the internet or over cordless phones or cell phones. If they really want my nodes here that bad, then I give them to them. Take my nodes, please!:-) | [reply] |
Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 29, 2009 at 08:37 UTC
|
change mine please, its been a while since I logged in, I think I lost it.
I'm vroom, can you change it to mooorv?
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by Argel (Prior) on Jul 30, 2009 at 00:08 UTC
|
FWIW, I don't think I ever received an email but obviosuly found about it when I lost my Perl-Blue theme. My eyes!!! (^_^)
Is there a place with more details, such as where our information was published? I'm interested in knowing where my information was exposed.
Elda Taluta; Sarks Sark; Ark Arks
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by Lawliet (Curate) on Jul 30, 2009 at 05:17 UTC
|
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by Skeeve (Parson) on Jul 30, 2009 at 06:27 UTC
|
Don't give to many hints!
I suggest to take the Saints in our Book page down or at least remove the information when a user last logged in. It might not be a big issue, but seeing that someone didn't log in for 46 weeks now implies that he might not know of his published password and so odds are better that his password is still valid on other sites.
s$$([},&%#}/&/]+}%&{})*;#$&&s&&$^X.($'^"%]=\&(|?*{%
+.+=%;.#_}\&"^"-+%*).}%:##%}={~=~:.")&e&&s""`$''`"e
| [reply] [d/l] [select] |
|
I see that blazar (who died in late 2008, I believe) logged in 12 hours ago ... which is a bit unsettling. Who is going to change his password ?
Cheers, Rob Update: I see that new passwords have been allocated to anyone who hadn't made a change ... I think this will probably take care of the matter.
| [reply] |
|
my other account Courage, which is actually my favourite, (and "officially "approved) is also seemingly compromised - I can't login, and it was in saints... mailing the password does not work, I guess my email was changed?
OMG... what to do??
| [reply] |
|
Oops. Having the same ugly impression that some none saint accounts are being used by impersonators. :-(
With kind regards.
ddn123456
| [reply] |
|
OMG, I completely missed that post! The the thread is Sad news. How tragic!! (T_T)
Elda Taluta; Sarks Sark; Ark Arks
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by sutch (Curate) on Jul 29, 2009 at 22:32 UTC
|
This must be a promotional gimmick to get PerlMonks that moved to Ruby to come back to the PerlMonks site! | [reply] |
Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 30, 2009 at 15:05 UTC
|
Well, shoot. The password my browser remembers doesn't work, every password I think is likely for me to have used doesn't work, and the password reminder is probably going to a defunct email address. Any suggestions on what I can do? I'm scain if it matters. | [reply] |
Re: It's Time for Everyone to Change Passwords!
by ig (Vicar) on Jul 29, 2009 at 09:11 UTC
|
duplicate, sorry... I suggest everyone's password be randomized. Users can then have their new passwords emailed to themselves. This will be much quicker that waiting for everyone getting the message to reset their own passwords.
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 30, 2009 at 23:23 UTC
|
It seems I've been affected. My password no longer works and the "password reminder" does not send me any emails. What do I do?
user = mifflin | [reply] |
Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Jul 30, 2009 at 20:52 UTC
|
All I say - they won
- long time already PM site has long responce time... it was periodically explained that this is due to some attacks which results in overloading the servers.
Anyway, long responce make users of site to go away
- all the stupid HTML tags also makes me sad... people all over the world has convenient typing system, and only here I must enter <p><br><i>stupidity
- and now this password stealing - and they seemingly changed passwords of many users
sad, all is sad.
It is obvious that gods are devoting their own time and deserve applauses, not criticizing. they do improvements, but these improvements are often too backward-compatible, or awkward-compatible. And the result is - typesetting is awkward and obsolete, the site is succesfully attacked over a long time already...
enemies won :( | [reply] [d/l] |
|
| [reply] [d/l] |
|
| [reply] |
Re: It's Time for Everyone to Change Passwords!
by Anonymous Monk on Aug 01, 2009 at 15:58 UTC
|
| [reply] |
|
| [reply] |
|
Do you want your email address to be public now?
| [reply] |
|
|