[sf-perl] Fwd: [LA.pm] Perlmonks compromised
Fred Moyer
fred at redhotpenguin.com
Wed Jul 29 22:06:38 PDT 2009
Sorry, the gmail hot keys sent off my email before it was finished.
On Wed, Jul 29, 2009 at 9:57 PM, Fred Moyer<fred at redhotpenguin.com> wrote:
> Unfortunately this is a phenomenon that plagues even very large companies.
...
>
> It is not difficult at all to use md5 encryption to one way encrypt
> and salt user passwords before storing them in a persistence layer.
>
> use Digest::MD5;
>
> # don't call this variable salt, or add this comment line, or your
> salt will be easy
> # to find via grep
> use constant MONKEYBRAINS => '13hfas78g3532';
> sub scrambled_pass {
> my $pass = shift;
my $scrambled_pass = Digest::MD5::md5_hex(
$q->param('password') . MONKEYBRAINS x 4);
return $scrambled_pass;
}
Even this simple level of one way encryption provides significantly
more security than plain text passwords. It takes me 0 seconds to
decrypt a plain text password (without the aid of a computer).
I've heard arguments that you can brute force md5 encrypted passwords
- which is absolutely true (it can take some time though). But that
is no excuse for keeping plain text passwords around. The barrier to
doing nefarious things with those easy to use passwords is just too
low.
> On Wed, Jul 29, 2009 at 7:46 PM, frosty<biztos at mac.com> wrote:
>> Monks, how could you! Plain text!
>>
>> Thanks for the heads-up. Now I have to try to remember which other sites used my "generic" password, and go change it on them.
>>
>> Then I will have to plan for the joy of spending the rest of my career hearing about how Perl isn't a serious language because the main Perl guru site stored its friggin' passwords as plain text. And that from Java goons no less.
>>
>> Argh!
>>
>> -- f.
>>
>> On Wednesday, July 29, 2009, at 06:15PM, "Fred Moyer" <fred at redhotpenguin.com> wrote:
>>>The passwords were stored in plain text also, so if you are using that
>>>same password somewhere else you want to change it there too.
>>>
>>>On Wed, Jul 29, 2009 at 8:38 AM, Quinn Weaver<quinn at fairpath.com> wrote:
>>>> If you have a Perl Monks account, change your password!
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Ben Tilly <btilly at gmail.com>
>>>> Date: Wed, Jul 29, 2009 at 7:18 AM
>>>> Subject: [LA.pm] Perlmonks compromised
>>>> To: OC-Perl Mongers <oc-pm at pm.org>, Los Angeles Perl Mongers
>>>> <losangeles-pm at pm.org>
>>>>
>>>>
>>>> If you're a janitor or are on Saints In My Book then your password is
>>>> being circulated in a file named zf05.txt. If not, someone still has
>>>> it. Perlmonks may still be compromised, so you should change your
>>>> password there, then be prepared to change it again. And, of course,
>>>> you should change that password anywhere else that you used it.
>>>>
>>>> Ben
>>>> _______________________________________________
>>>> Losangeles-pm mailing list
>>>> Losangeles-pm at pm.org
>>>> http://mail.pm.org/mailman/listinfo/losangeles-pm
>>>>
>>>>
>>>>
>>>> --
>>>> Quinn Weaver Consulting, LLC
>>>> Full-stack web design and development
>>>> http://quinnweaver.com/
>>>> 510-520-5217
>>>> _______________________________________________
>>>> SanFrancisco-pm mailing list
>>>> SanFrancisco-pm at pm.org
>>>> http://mail.pm.org/mailman/listinfo/sanfrancisco-pm
>>>>
>>>_______________________________________________
>>>SanFrancisco-pm mailing list
>>>SanFrancisco-pm at pm.org
>>>http://mail.pm.org/mailman/listinfo/sanfrancisco-pm
>>>
>>>
>> _______________________________________________
>> SanFrancisco-pm mailing list
>> SanFrancisco-pm at pm.org
>> http://mail.pm.org/mailman/listinfo/sanfrancisco-pm
>>
>
More information about the SanFrancisco-pm
mailing list