Re: Ideas for "fixing" PerlMonks 1.0
by jdporter (Paladin) on Dec 16, 2024 at 19:34 UTC
|
Are passwords still stored as plaintext?
It is — unfortunately — no secret that pm stores its passwords in plaintext. There has been plenty of discussion about this. We won't rehash it here.
Is security by obscurity really considered a valuable defence against ze baddies
I'm not talking about security — as in, preventing accounts or the site as a whole from being hacked, or personal data getting exfiltrated — so much as not revealing how the sausage gets made.
The admins do quite a bit to detect scammers and stymie trolls. We don't, for example, want you to know whom we have blocked, or how.
If the system for this site requires changing to achieve that, then it should be done.
I don't disagree. But, as has been mentioned many times, this system is very hard to change. It would be not only easier, but more advantageous in the long run, to build a new system from scratch, where everything is done The Right Way.
I am willing to put effort into that myself.
I appreciate that, and am grateful indeed.
Today's latest and greatest software contains tomorrow's zero day exploits .
| [reply] |
|
Less, let's say, humorously: I note the recent attempt by Bod to discuss the elephant in the room (the password problem), at Priorities perhaps?.
Having just re-read it, I see what I believe is a way to cut the Gordian knot. It could feel like a large, atomic change is needed to both encrypt the passwords, and put in place the workflow needed to do password resets that would be needed because the plaintext isn't available anymore.
But what about making a workflow for password resets now, even though the passwords are still plaintext in the database? It would both set the conditions for then encrypting the passwords as a second, independent step, and already increase security a bit by not having plaintext passwords be emailed around, and sit in people's mailboxes for ze baddies to snarf up.
| [reply] |
|
| [reply] |
|
|
|
|
|
|
pm stores its passwords in plaintext. There has been plenty of discussion about this. We won't rehash it here.
I see what you did there.
| [reply] |
|
| [reply] |
Re: Ideas for "fixing" PerlMonks 1.0
by afoken (Chancellor) on Dec 17, 2024 at 09:24 UTC
|
Are passwords still stored as plaintext?
That can be easily tested, using the What's my password? page. As long as you get a mail with your password in plain text, the password must be stored in plain text, or with equivalent security. (It could be encrypted, but with both the decryption code and the decryption key available on the server.) As soon as you get some kind of one-time key instead of your password, your password may be stored hashed or hashed and salted. But unfortunately, it could also still be stored in plain text. But at least, it would not be exposed by mail any longer.
Alexander
--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
| [reply] |
Re: Ideas for "fixing" PerlMonks 1.0
by LanX (Saint) on Dec 16, 2024 at 18:46 UTC
|
| [reply] [d/l] [select] |
|
Sure, one could do that. But is it really worth the effort? I think not. I maintain that all effort would be better expended on trying to create a replacement system entirely from scratch. (well, not entirely. it should be built with modern, open-source software.)
| [reply] |
|
| [reply] |
|
| [reply] |
|
|
|