Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: Status of Recent User Information Leak

by Polyglot (Monk)
on Aug 03, 2009 at 05:49 UTC ( #785345=note: print w/ replies, xml ) Need Help??


in reply to Status of Recent User Information Leak

I realize many have already given their two cents here. As my two cents are of a slightly different shade, I will add them to the pile.

  1. I used a random password on PerlMonks.
  2. I did not use this password anywhere else.
  3. The password had upper/lower case and digits.
  4. The password was as strong as any password could have been on PerlMonks.
And since I didn't use the password anywhere else, you might think I had nothing to lose, right? Wrong. Some people here have focused on the password as the only critical piece. But along with the password, the crackers also got our email addresses and potentially our real names (in my case I have not supplied a real name).

What advice do the "professionals" have regarding email addresses? Should we apply for a different email account for every webservice we use as well? Spam is a big problem these days, as is identity theft. If we were to use a fake email address, we would be unable to sign up on Perl Monks. So, I did have something to lose after all.

It is also my understanding that it was not the user passwords that were cracked, but the server root itself. Is there any way our data could have been protected from a root-level attack? I doubt it.

I begin to wonder if the real security problem here had little to do with passwords, and everything to do with general server security procedures. On my linux server, I use a firewall, I ban for twenty minutes any user who fails thrice to correctly enter a password, and use private/public keys with SSH on a non-standard port which will not allow anyone to login as root. Logging in as root requires a separate step. The database is password protected with a separate password, and I do not keep dumps of the DB's user table. And I do not think my server is especially secure. There are many more steps one might take. But it sounds like from the way PM was cracked, it was almost a giveaway.

If you want to discuss having more secure passwords here, then can we talk about having more than 8 characters in our passwords? But a chain is only as strong as its weakest link, and it seems that even the weakest of passwords belonging to users here may not have been the weak link in this case.

Blessings,

~Polyglot~


Comment on Re: Status of Recent User Information Leak
Re^2: Status of Recent User Information Leak
by Anonymous Monk on Aug 03, 2009 at 07:01 UTC
    I'm sorry, but that is really incoherent (well, everything after the straw man you might think I had nothing to lose, right? ).
      "I'm sorry, but that is really incoherent"

      How do you get away with writing code then?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://785345]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (2)
As of 2014-07-29 03:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (211 votes), past polls