Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Ideas for "fixing" PerlMonks 1.0

by etj (Priest)
on Dec 16, 2024 at 17:42 UTC ( [id://11163197]=monkdiscuss: print w/replies, xml ) Need Help??

Originally posted as a reply to Re^4: Ideas for PerlMonks 2.0

You mention security. Are passwords still stored as plaintext? Is security by obscurity really considered a valuable defence against ze baddies here?

As a generality, I think that separating code and data is a good thing, and makes for better design. If the system for this site requires changing to achieve that, then it should be done. I am willing to put effort into that myself. I never got going with the "add markdown as an option", and that is largely due to there not being a dev environment possible.

Replies are listed 'Best First'.
Re: Ideas for "fixing" PerlMonks 1.0
by jdporter (Paladin) on Dec 16, 2024 at 19:34 UTC
    Are passwords still stored as plaintext?

    It is — unfortunately — no secret that pm stores its passwords in plaintext. There has been plenty of discussion about this. We won't rehash it here.

    Is security by obscurity really considered a valuable defence against ze baddies

    I'm not talking about security — as in, preventing accounts or the site as a whole from being hacked, or personal data getting exfiltrated — so much as not revealing how the sausage gets made. The admins do quite a bit to detect scammers and stymie trolls. We don't, for example, want you to know whom we have blocked, or how.

    If the system for this site requires changing to achieve that, then it should be done.

    I don't disagree. But, as has been mentioned many times, this system is very hard to change. It would be not only easier, but more advantageous in the long run, to build a new system from scratch, where everything is done The Right Way.

    I am willing to put effort into that myself.

    I appreciate that, and am grateful indeed.

    Today's latest and greatest software contains tomorrow's zero day exploits.
      Less, let's say, humorously: I note the recent attempt by Bod to discuss the elephant in the room (the password problem), at Priorities perhaps?.

      Having just re-read it, I see what I believe is a way to cut the Gordian knot. It could feel like a large, atomic change is needed to both encrypt the passwords, and put in place the workflow needed to do password resets that would be needed because the plaintext isn't available anymore.

      But what about making a workflow for password resets now, even though the passwords are still plaintext in the database? It would both set the conditions for then encrypting the passwords as a second, independent step, and already increase security a bit by not having plaintext passwords be emailed around, and sit in people's mailboxes for ze baddies to snarf up.

      pm stores its passwords in plaintext. There has been plenty of discussion about this. We won't rehash it here.
      I see what you did there.
      pm stores its passwords in plaintext. We won't rehash it here.

      Pun intended?

      (and now I see etj made the same comment, and I would delete this post if PM had that capability...)

Re: Ideas for "fixing" PerlMonks 1.0
by afoken (Chancellor) on Dec 17, 2024 at 09:24 UTC
    Are passwords still stored as plaintext?

    That can be easily tested, using the What's my password? page. As long as you get a mail with your password in plain text, the password must be stored in plain text, or with equivalent security. (It could be encrypted, but with both the decryption code and the decryption key available on the server.) As soon as you get some kind of one-time key instead of your password, your password may be stored hashed or hashed and salted. But unfortunately, it could also still be stored in plain text. But at least, it would not be exposed by mail any longer.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re: Ideas for "fixing" PerlMonks 1.0
by LanX (Saint) on Dec 16, 2024 at 18:46 UTC

      Sure, one could do that. But is it really worth the effort? I think not. I maintain that all effort would be better expended on trying to create a replacement system entirely from scratch. (well, not entirely. it should be built with modern, open-source software.)

        > But is it really worth the effort?

        I think so, yes!

        And I wouldn't try to implement a "modern" perl backend but start with an attractive JS frontend.

        Most importantly I would be capable to do a POC without messing around with the local patch system.

        YMMV. (Certainly)

        Cheers Rolf
        (addicted to the Perl Programming Language :)
        see Wikisyntax for the Monastery

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://11163197]
Approved by erzuuli
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others learning in the Monastery: (1)
As of 2025-02-09 13:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Which URL do you most often use to access this site?












    Results (96 votes). Check out past polls.