|Keep It Simple, Stupid|
Re^3: Status of Recent User Information Leakby jettero (Monsignor)
|on Aug 02, 2009 at 05:31 UTC||Need Help??|
There seem to be an awful lot of overreactions going on here. Breakins happen from time to time. Storing the passwords cleartext is embarassing, sure, but it was probably considered handy for mailing passwords to people back in 1996 or whatever.
Also, hashing the passwords does not make them that much safer. Are you talking md5/sha1 hmac stuff like the Linux shadow files? Well, a few hours with john will get you a huge majority of the passwords I imagine, even with salts. And for the patient (or the botnet operator), even the really good ones will be discovered in relatively short order.
Pfft, I say. This is why you should use a randomly generated unique password on each site.
It doesn't really have anything to do with Perl or the Perl community either. I imagine the everything 2 engine has crypted passwords -- I don't really know that, I just imagine. Probably this was a bad design decision unique to this particular e2 site.
I'd guess more forum sites store passwords cleartext than don't though, doesn't really matter what language. It was really common to send your clear text password over cleartext email when you clicked "forgot password." A lot of sites changed this behavior, for good reasons, but a lot didn't. It's historical, not a Perl-the-language problem.
Basically, people were just too lazy to change it, because that's how it's always been.