[sf-perl] Fwd: [LA.pm] Perlmonks compromised

Fred Moyer fred at redhotpenguin.com
Wed Jul 29 21:57:53 PDT 2009


Unfortunately this is a phenomenon that plagues even very large companies.

I'm able to retrieve my password in plain text when I have to recover
it through tmobile.com to pay my phone bill.  I really hope that they
are using two way encryption there, but in a situation like this two
way encryption is only halfway there between no encryption and one way
encryption.  If your system can be rooted and passwords retrieved,
there's a good chance that the attacker can get any two way encryption
and corresponding salts and algorithms also.

It is not difficult at all to use md5 encryption to one way encrypt
and salt user passwords before storing them in a persistence layer.

use Digest::MD5;

# don't call this variable salt, or add this comment line, or your
salt will be easy
# to find via grep
use constant MONKEYBRAINS => '13hfas78g3532';

....

sub scrambled_pass {
     my $pass = shift;


$user->passwd_md5( Digest::MD5::md5_hex( $q->param('password') . );



On Wed, Jul 29, 2009 at 7:46 PM, frosty<biztos at mac.com> wrote:
> Monks, how could you!  Plain text!
>
> Thanks for the heads-up.  Now I have to try to remember which other sites used my "generic" password, and go change it on them.
>
> Then I will have to plan for the joy of spending the rest of my career hearing about how Perl isn't a serious language because the main Perl guru site stored its friggin' passwords as plain text.  And that from Java goons no less.
>
> Argh!
>
> -- f.
>
> On Wednesday, July 29, 2009, at 06:15PM, "Fred Moyer" <fred at redhotpenguin.com> wrote:
>>The passwords were stored in plain text also, so if you are using that
>>same password somewhere else you want to change it there too.
>>
>>On Wed, Jul 29, 2009 at 8:38 AM, Quinn Weaver<quinn at fairpath.com> wrote:
>>> If you have a Perl Monks account, change your password!
>>>
>>> ---------- Forwarded message ----------
>>> From: Ben Tilly <btilly at gmail.com>
>>> Date: Wed, Jul 29, 2009 at 7:18 AM
>>> Subject: [LA.pm] Perlmonks compromised
>>> To: OC-Perl Mongers <oc-pm at pm.org>, Los Angeles Perl Mongers
>>> <losangeles-pm at pm.org>
>>>
>>>
>>> If you're a janitor or are on Saints In My Book then your password is
>>> being circulated in a file named zf05.txt.  If not, someone still has
>>> it.  Perlmonks may still be compromised, so you should change your
>>> password there, then be prepared to change it again.  And, of course,
>>> you should change that password anywhere else that you used it.
>>>
>>> Ben
>>> _______________________________________________
>>> Losangeles-pm mailing list
>>> Losangeles-pm at pm.org
>>> http://mail.pm.org/mailman/listinfo/losangeles-pm
>>>
>>>
>>>
>>> --
>>> Quinn Weaver Consulting, LLC
>>> Full-stack web design and development
>>> http://quinnweaver.com/
>>> 510-520-5217
>>> _______________________________________________
>>> SanFrancisco-pm mailing list
>>> SanFrancisco-pm at pm.org
>>> http://mail.pm.org/mailman/listinfo/sanfrancisco-pm
>>>
>>_______________________________________________
>>SanFrancisco-pm mailing list
>>SanFrancisco-pm at pm.org
>>http://mail.pm.org/mailman/listinfo/sanfrancisco-pm
>>
>>
> _______________________________________________
> SanFrancisco-pm mailing list
> SanFrancisco-pm at pm.org
> http://mail.pm.org/mailman/listinfo/sanfrancisco-pm
>


More information about the SanFrancisco-pm mailing list