Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re^3: Status of Recent User Information Leak

by Anonymous Monk
on Jul 31, 2009 at 16:58 UTC ( #784941=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Status of Recent User Information Leak
in thread Status of Recent User Information Leak

Posting as anonymous because I can't log in right now.

I'm furious this site used plaintext passwords. What a??holes even consider launching a basic site, let alone one used by professionals worldwide, storing passwords as plaintext?

Sh*t happens, sure, but setting up the most loyal users to be f*cked is NOT cool.

I sincerely doubt I'll use this kindergarten site again. It was NOT worth the sainthood.


Comment on Re^3: Status of Recent User Information Leak
Re^4: Status of Recent User Information Leak
by Anonymous Monk on Jul 31, 2009 at 17:09 UTC
    Congratulations

      Just because Mailman does it doesn't mean it's a good idea. In fact, although I would not have expressed it in quite the way he did, I kind of agree with him. Storing passwords in cleartext is one thing if you've got three users; it's something else again if you've got hundreds of users, or thousands. It was on Perlmonks that I learned to build code that takes security into consideration first, code that runs under strictures and taint checking and so on and so forth. Furthermore, it was on Perlmonks that someone pointed out to me that a compromised password isn't just dangerous to the site in question, but potentially to user accounts on other sites, if users use the same passwords in multiple places.

      I have always sort of implicitly assumed that Perlmonks used password hashing and per-user salt, because that's the way good programmers roll. I knew that some mistakes were made in the early formative years of the site, which have since been regretted (e.g., ISTR that someone specifically mentioned storing active Perl code in the database as an instance of this), but something as scary as clear-text passwords... I just sort of assumed that even if it had been that way years ago, it would have been long since corrected by now. I was very surprised to learn otherwise, and I consider the storage of passwords in cleartext to be totally out of character for the site.

      If this had happened on slashdot, I would have just shrugged, changed my password, and gone about my life. But I expected more from Perlmonks.

        Congratulations, I expected you to click correct reply button :D I not mention mailman
Re^4: Status of Recent User Information Leak (Mailman Considered Harmful)
by LanX (Canon) on Aug 01, 2009 at 10:39 UTC
    storing passwords as plaintext?

    Guess what, I just got a password reminder from Mailman, with my password und login in cleartext... *

    let alone one used by professionals worldwide
    And now, dear tr*ll, have a look at this list... 8)

    Cheers Rolf

    UPDATE: see Mailman considered harmful

    Crosspost: http://www.perl-community.de/bat/poard/thread/13803#ms_123798

    (*) for those unaware, even "magic" p*th*n can't reconstruct a securely hashed password into plaintext!

    UPDATE2: Should be noted that Mailman explicitly warns at registration to reuse an important password. Thanks Moritz!

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://784941]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (7)
As of 2014-11-29 02:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My preferred Perl binaries come from:














    Results (203 votes), past polls