Everyone should change their passwords. Just because your password wasn't published (I was very tempted to post the link), doesn't mean that someone doesn't have it. Fortunately, a couple of years ago I started getting more concerned about security and I considered Perlmonks a "low-risk" site (in terms of whether or not I care about a compromise), so I deliberately switched this password to an unique easy-to-remember one (pineappl, if you're curious). It's now changed to something far stronger, but it's another throwaway password. I assume that things like this will recur. It's safer that way.

Not a lot of point...

Yet, for those who have used the same password on multiple sites, it is better that they change them to something unique, particularly if the new one will be compromised.

It is currently front-paged, but this is not sufficient; your banner idea sounds like a good one. I don't normally enter through the Monastery Gates, but instead jump directly to SOPW, as that's where everything that interests me tends to be found. If not for a chatterbox mention of passwords being published, I would not be aware of this.

Voting up the announcement to get it into daily/weekly best would also help with getting the word out, but a site-wide banner would probably be the most effective way to do it.

I suggest everyone's password be randomized. Users can then have their new passwords emailed to themselves. This will be much quicker than waiting for everyone to get the message and reset their own passwords.

And an email to all users, to reach those who might otherwise not login and learn of the breach any time soon. Some of them might want to reset passwords elsewhere.

I suggest everyone's password be randomized.

There is a danger in that, because several people (especially users with old accounts) will not have updated their email address and will therefore not receive their new password. Despite that, I strongly support this suggestion, dealing with people who have lost access is going to result in a lot less pain than having malicious kiddies logging onto overlooked accounts for months to come.

Also, I think virtualsue is absolutely right, take the site down now and don't put it back up until it's running on a known-clean machine.


All dogma is stupid.

Not only that, but there are also people who haven't been to perlmonks for quite some time (perhaps with the intent to never return). I guess we don't have those accounts to be misused either.

A nice-to-have feature would be a "gimme a new random password and instantly send me a reminder" button on the settings page where the password gets changed.

In fact, I'm sure that's what the "I forgot my password" button does - maybe all we need to do is make that button easier to find for a logged-in user.

Which reminds me, it's not obvious where "Change password" is - I wandered around my profile for a while before finding it.


Mike

The password reminder (as I used it yesterday) doesn't set a new password. It sends current password in an email.

If the passwords were encrypted, as they should be, then the current password reminder function would not be possible.

If a password reset ability is provided to unauthenticated users (those who have forgotten their passwords can't authenticate) this function can be abused to interfere with legitimate access. Any unauthenticated user can request a password reset for any other user, as long as they know whatever is used to specify the account (typically a login ID or email address).

This risk can be mitigated by having the password reset function set a new additional password if the user is unauthenticated, without invalidating the current password. Only if the user is currently authenticated should the password reset function invalidate previous passwords. This presumes an authentication system that supports multiple concurrent passwords.

Security can be improved by setting a short expiry and limiting the number of uses of the password set by the password reset function available to unauthenticated users.

If the new passwords are distributed by email, then the user accounts are only as secure as the email delivery system. Ideally, the system would support but not require encrypted email for new password distribution.

Exactly, I agree on this. That button is not really easy to find... It is bad that somebody wanted to neutralize our place of refuge :(... I did not know of this until I glanced through the chatterbox too
Excellence is an Endeavor of Persistence. Chance Favors a Prepared Mind

This ought to be a top priority. Really, if a user posted a question here about storing passwords, I'd be telling them they shouldn't be allowed near the passwords if they don't see the importance of at least hashing them. I'm very, very surprised that a technical site like PM doesn't do this already.

It shouldn't be a question of how hard, rather it should be a question of when. Given the large number of nodes discussing exactly this, many with advice from the gods, I have no doubt a sane security policy can be put in place.

The real questions are:

• When?
• How will the users be informed?

I actually had to explain to the admins on here this morning why hashed passwords might be a good idea. We are so hosed.

None of the admins doubt that hashed passwords are a good idea, so I have no idea what you are talking about.
--
Online Fortune Cookie Search
Office Space merchandise

In light of this, I think it would be a good time to update Changing your password to reflect how the "edit your user information" link has moved. It's no longer at the bottom on the left. Rather, it's at the top, and it's called "Profile" now.

Done. Thanks, kyle!

HTH,

planetscape

All of the published passwords have been changed. Most of the parties involved have been e-mailed about this (still fighting anti-spam measures to get the remaining e-mails out) both at their prior e-mail address and their new e-mail address (if their e-mail address was recently changed).

Sorry, I've spent a lot of time working on this already and don't have time to compose a long notice about details or plans, most of which have been published by other people already anyway.

Sorry for the inconvenience and thanks for your patience.

All of the published passwords have been changed.

Thanks for that, and also for the fact that the page that does "send a password reminder for my perlmonks account to my email address" worked just fine.

I'm glad to be back.

I looked through a bunch of the posts, and did not see the issue brought up or addressed, but what if my email was changed a while back and I never got around to updating it on perlmonks as I don't frequent the site very often anymore. It has obviously been changed.

So without being able to know which email it went to, and not being able to change the email it should go to, what is my next step, if i don't wish to create a new account.

I've been effected and the password retrieval tool either doesn't seem to be working or my email address has been changed. No biggie. Could you email my new password to "will at silent11 dot com" or Direct Message me using the twitter handle located on my profile page?

Thanks.


silent11

Disregard the above message. If the crackers hadn't of posted everyone's email address I wouldn't have know what address to send my new password to.

Looks like I am one of the affected and the email got lost. Could you try to send it again to my CPAN email once you have a moment? No rush. I'm not sure what, if any, email address do I have on file on Perlmonks.

Thanks, Jenda@CPAN.org

Got it, thanks!

Jenda
Enoch was right!
Enjoy the last years of Rome.

As the list of passwords seems to be publicly available now, would it make sense to also check the user accounts on this sites and take the required measures to disable the ones found to be compromised?

At least, can we make a list of Perl relates sites users should check just in case they reused the Perlmonks password there?

the site is 404 now and i found only one public mirror so far.
however the hack is a few months old already : Fri Apr 15 13:34:52 2005
btw interesting new user : 784161

update: while the date was wrong (can't believe i misread this) the hack is still a few months old

that particular output of uname is the kernel version, IE when it was compiled. uname doesn't output the current date.

Please note: The April 15, 2005 date is the output of a uname command. The list of saints includes users who did not exist in 2005 and/or people who were only added to the Saints list at the end of April, 2009. This is a recent hack.

Best, beth

however the hack ia few month old already : Fri Apr 15

I'm guessing, but from comments in the CB I've gathered that the server that was hacked was an old machine, which is still up but no longer in active use. So the hack might very well be more recent, with only older information being disclosed.


All dogma is stupid.

It's still out there, now mirrored in several places (not by me, but others). Since PerlMonks is still up and running, some must think there's no risks remaining. In the interest of full disclosure here's the *TEXT ONLY* of the posting:

There is a really simple reason we owned PerlMonks: we couldn't resist more than 50,000 unencrypted programmer passwords.

That's right, unhashed. Just sitting in the database. From which they save convenient backups for us.

Believe it or not, there is actually debate at perlmonks about whether or not this is a good idea. Let's just settle the argument right now and say it was an idea that children with mental disabilities would be smart enough to scoff at. We considered patching this for you but we were just too busy and lazy. I'm sure you can figure it out yourselves.

This isn't a bad set of passwords, either. Programmers have access to interesting things. These Perl guys are alright, just a little dumb apparently. A lot of them reuse. You can explore them yourselves, I really do not want to point out anyone in particular.

...

In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?

Not worth our time ;)

There are *many* users on the saints page who haven't logged in in years, or won't log in soon. Janitors or Gods need to bulk change them all and send an email or special instructions for recovery to all affected users.

(I understand these things happen and I'm not particularly worried. Just want the right solution.)

Are we sure that perlmonks.org isn't still compromised? If we haven't gone through the motions closing all security holes and reinstalling on a fresh OS, it doesn't make much sense to ask people to change their passwords at perlmonks.org.

Is there a place with more details, such as where our information was published? I'm interested in knowing where my information was exposed.

The good news is that if you aren't a janitor and aren't in Saints in our Book your password was *not* disclosed to the general public

And here I was celebrating the fact I finally made it to Saint status >.>

Don't give to many hints!

I suggest to take the Saints in our Book page down or at least remove the information when a user last logged in. It might not be a big issue, but seeing that someone didn't log in for 46 weeks now implies that he might not know of his published password and so odds are better that his password is still valid on other sites.

I see that blazar (who died in late 2008, I believe) logged in 12 hours ago ... which is a bit unsettling.
Who is going to change his password ?

Cheers,
Rob
Update: I see that new passwords have been allocated to anyone who hadn't made a change ... I think this will probably take care of the matter.

my other account Courage, which is actually my favourite, (and "officially "approved) is also seemingly compromised - I can't login, and it was in saints...
mailing the password does not work, I guess my email was changed?

OMG... what to do??

Oops. Having the same ugly impression that some none saint accounts are being used by impersonators. :-(

With kind regards.
ddn123456

OMG, I completely missed that post! The the thread is Sad news. How tragic!! (T_T)

Elda Taluta; Sarks Sark; Ark Arks

duplicate, sorry... I suggest everyone's password be randomized. Users can then have their new passwords emailed to themselves. This will be much quicker that waiting for everyone getting the message to reset their own passwords.

user = mifflin

• long time already PM site has long responce time... it was periodically explained that this is due to some attacks which results in overloading the servers.
  Anyway, long responce make users of site to go away
• all the stupid HTML tags also makes me sad... people all over the world has convenient typing system, and only here I must enter <p><br><i>stupidity
• and now this password stealing - and they seemingly changed passwords of many users

sad, all is sad.
It is obvious that gods are devoting their own time and deserve applauses, not criticizing.
they do improvements, but these improvements are often too backward-compatible, or awkward-compatible.
And the result is - typesetting is awkward and obsolete, the site is succesfully attacked over a long time already...
enemies won :(

all the stupid HTML tags also makes me sad... people all over the world has convenient typing system, and only here I must enter <p><br><i>stupidity

I prefer the HTML markup and find it very convenient. What other typing systems are you referring to? BBCode?

I don't mind occasionally having to reinvent a wheel; I don't even mind using someone's reinvented wheel occasionally. But it helps a lot if it is symmetric, contains no fewer than ten sides, and has the axle centered. I do tire of trapezoidal wheels with offset axles. --Joseph Newcomer

I was referring to markup widely accepted in wiki. stripped HTML markup is hard to type.

(yes, that anonymous person above was me :) )

20090811 Janitored by Corion: Redacted email addresses

All set. Thanks.


___________
Eric Hodges

Do you want your email address to be public now?