in reply to Re: What happened?
in thread What happened?

What really worries me is that the attackers claim that the passwords were stored UNENCRYPTED. We tell each and every wannabe-coder to salt and encyrpt passwords, and the perlmonks code doesn't? If that is true, the monastery has a really big problem, and just changing our passwords once or twice, as advised in It's Time for Everyone to Change Passwords!, is just trying to cure the symptoms.


Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re^3: What happened?
by jrsimmon (Hermit) on Jul 29, 2009 at 15:25 UTC
    Evidently they were stored plain text. Until someone updates the users that the breach has been closed and the passwords are actually being stored in a sane manner, you should expect that people who care to do so have full access to your profile.
      Yes, but still people should change their passwords *now*. And *again* when the problems have been fixed.

      If your password is listed, anyone can use your password to change your posts, or worse: change your password so you can't change it yourself, later.

      If you change it now, your new (temporary) password would still be stored in clear text, on a possibly insecure host (although apparently the passwords were stolen from a disused server), but getting it would require significant effort as opposed to just reading a magazine that has probably been copied over a million times already.

        users who havent logged into perlmonks in over a year should have their passwords changed by gods