Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re^2: Status of Recent User Information Leak

by biohisham (Priest)
on Aug 03, 2009 at 14:49 UTC ( #785474=note: print w/ replies, xml ) Need Help??


in reply to Re: Status of Recent User Information Leak
in thread Status of Recent User Information Leak

Everybody at Perl Monks make you feel not-alone or left-out in front of an angry boss, a lazy soul that whispers at pulling you offtrack from learning Perl consistently or any monstrous authority for that matter, a great win-win to everyone PM is. Instead of criticizing the admins and debating whether they have neglected a security aspect we should be glad that they could bear the hassle of running this free site and all the bedeviling shots that come along, without PM all of us would be punching in the dark sometime somewhere to get a certain code working or would be going through noncontiguous Google's results in order to extract some knowledge which is a frustration. Risk arises if the displayed passwords were shared for different user-accounts, but is this not against the very strict rule that says "each account somebody has should have it's own independent password" too?, so maybe all of us share the blame if we were among those who pooled their passwords. As you said, crediting the Admins, the monks and the users in here for this site is worth it,supporting them is worth it and looking up to them is worth it as well..

Excellence is an Endeavor of Persistence. Chance Favors a Prepared Mind


Comment on Re^2: Status of Recent User Information Leak
Download Code
Re^3: Status of Recent User Information Leak
by Anonymous Monk on Aug 04, 2009 at 08:52 UTC
    Instead of criticizing the admins and debating whether they have neglected a security aspect we should be glad that they could bear the hassle of running this free site and all the bedeviling shots that come along, without PM all of us would be punching in the dark sometime somewhere to get a certain code working

    There is no question that the site bears some useful purpose. But such a fundamental mistake as to directly expose plain-text passwords absolutely deserves strong criticism.

    Only a few months ago I stood my ground (through a protracted potentially career-limiting argument) with a project manager about salting passwords used for a website I was involved with the creation of. He didn't get it because he wasn't technical. The Admins of this site, however, should have "got it".

    I can no longer post to this site using my original user name as my e-mail address has been published and could well be used to infer projects I am involved with. However that's inconvenient, not unforgivable, as hacks happen. Having to change other sites' passwords as a result of plain text leaks, however, is intolerable.

      directly expose plain-text passwords

      What do you mean by directly expose?

      I've said before that I agree it was a bush-league mistake and it would be nice to see the site practice what we all preach but I'm getting sick of critiques like yours because they're all fundamentally flawed. As every sign-in on this site is under http and not https your password is sent as clear text regardless of how it happens to be stored on the site. It's inherently insecure.

      (update: noticed parv, and others, brought this up already.)

Re^3: Status of Recent User Information Leak
by Anonymous Monk on Aug 04, 2009 at 09:00 UTC
    each account somebody has should have it's own independent password

    This is an ideal. Personally I juggle about 10 different passwords in my head. A unique one for EVERY site that needs access? Impossible. A password manager? Not on every access point I use.

    I was using a password on this site I share with other non-critical systems so there was no risk of any commercial system being accessed using the exposed password. However I did have to go and change my generic password on the other websites on which I use it.

    The problem with computer development is that it is a small part science and a large part art. A large part of it is managing risk. How much risk do you take using 1 password vs convenience? How about 5 passwords vs convenience. How about 250 (pretty inconvenient for me, I can't even name every bone in the body.. might work for surgeons though..)?

    Now trade the effort required to salt and store passwords. Hmm, about 3 minutes using the crypt() function. How much risk is alleviated doing this? More than enough to mandate it for any web project.

        The way cookies are done also needs to be changed.

        And that leads to requiring the entering of your existing password in order to be able to change your password.

        And that leads to providing a way to get around the above protection which leads to wanting a "security question and answer" and also adding some restrictions and notifications around attempts to change one's e-mail address.

        And then there is the whole "sending password in plain-text" being required to login so we need to make login require (or at least support and probably strongly encourage) https.

        And that leads to replacing the "login nodelet".

        And nobody who actually currently does any significant work on maintaining this site was around when whoever made that first decision to not bother to hash passwords (as far as I know).

        And tons of people have gotten their password e-mailed to them and not raised a tantrum like several people have recently so "plain-text passwords" hasn't been much of a hot topic over all these years.

        And then there is that just using Perl's crypt (as suggested) would have meant that most (or certainly a large fraction) of the passwords I've seen would have been easily found anyway with standard dictionary attacks.

        And even if I'd chosen a password that I was confident wouldn't be found in a 'crack' dictionary, I'd still go change any places where I'd re-used it once the hacking of the site was reported (I'd just be less panicked while doing so).

        (But, yes, hashing passwords is an obvious best practice and something we regret not implementing sooner.)

        - tye        

Re^3: Status of Recent User Information Leak
by Polyglot (Monk) on Aug 15, 2009 at 10:32 UTC
    Instead of criticizing the admins and debating whether they have neglected a security aspect we should be glad that they could bear the hassle of running this free site and all the bedeviling shots that come along, without PM all of us would be punching in the dark sometime somewhere to get a certain code working or would be going through noncontiguous Google's results in order to extract some knowledge which is a frustration.
    How many users does it take to make the programmers of a "free software" bear some responsibility for its integrity?

    Consider the following "free" things, and whether you would be a bit indisposed if any one of them had a similar leak of your email address, password, and real name due to a server that wasn't secure.

    • linux
    • Firefox
    • Skype
    • Gmail
    • Hotmail
    • Yahoo Mail
    • MSN Messenger
    • Facebook
    Businesses have come to rely on these products. Should they not? Should everyone be content for the free service these products give, even if now and then their security is breached and passwords, emails, and IDs become public info?

    Blessings,

    ~Polyglot~

      Yeah, you have a point there, when you talk about each one of the services you mentioned, Linux and down to Facebook, remember, these guys are companies, they are established as companies, they have many other sources of income and hence they could afford rendering a free service or more than one free service "or flavor", setting the standards for the industry.

      That is one side, the other side is, the amount of huge businesses that advertise their contents through these sites is another source of income which is generous, here at PM, it is much of a community participation or cooperative work, the members themselves donate and share for the betterment of the site - more or less of course- You really have a point that it is frustrating when a leak takes place but considering the circumstances where this matter happened is worth noticing, first, the server that had these information was a retired one and second, it was a remote probability that it could be accessed. I am not vouching for PM and I am not sympathizing with those who got their passwords compromised and neither am I implying that a free service has downgrades simply because it is free, those who got other sources of stability can afford a top-of-the-bar standard easier than can others, it is sad, but the responsibility is mutual and so is the burden here at Perl Monks.



      Excellence is an Endeavor of Persistence. Chance Favors a Prepared Mind.
        Oh what the heck, since I'm revisting this thread....
        Yeah, you have a point there, when you talk about each one of the services you mentioned, Linux and down to Facebook, remember, these guys are companies, they are established as companies, they have many other sources of income and hence they could afford rendering a free service or more than one free service "or flavor", setting the standards for the industry.
        Actually, "linux" [sic] isn't a company, though there are companies that create Linux distros. And Firefox is put out by the Mozilla Foundation, so once again, not a company. Companies provide funds to help these projects out and may even assign people to work on these projects but at the end of the day they are not companies. But more importantly, Perl benefits in the same way! Furthermore, PerlMonks is part of The Perl Foundation, which makes it similar to the Mozilla Foundation.

        Your comments may make sense for the rest of the list, but they are way off-base for Linux and Firefox.

        Elda Taluta; Sarks Sark; Ark Arks

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://785474]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (8)
As of 2014-10-21 07:40 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (98 votes), past polls