|Keep It Simple, Stupid|
Re: Status of Recent User Information Leakby Polyglot (Monk)
|on Aug 03, 2009 at 05:49 UTC||Need Help??|
I realize many have already given their two cents here. As my two cents are of a slightly different shade, I will add them to the pile.
What advice do the "professionals" have regarding email addresses? Should we apply for a different email account for every webservice we use as well? Spam is a big problem these days, as is identity theft. If we were to use a fake email address, we would be unable to sign up on Perl Monks. So, I did have something to lose after all.
It is also my understanding that it was not the user passwords that were cracked, but the server root itself. Is there any way our data could have been protected from a root-level attack? I doubt it.
I begin to wonder if the real security problem here had little to do with passwords, and everything to do with general server security procedures. On my linux server, I use a firewall, I ban for twenty minutes any user who fails thrice to correctly enter a password, and use private/public keys with SSH on a non-standard port which will not allow anyone to login as root. Logging in as root requires a separate step. The database is password protected with a separate password, and I do not keep dumps of the DB's user table. And I do not think my server is especially secure. There are many more steps one might take. But it sounds like from the way PM was cracked, it was almost a giveaway.
If you want to discuss having more secure passwords here, then can we talk about having more than 8 characters in our passwords? But a chain is only as strong as its weakest link, and it seems that even the weakest of passwords belonging to users here may not have been the weak link in this case.