[sf-perl] Fwd: [LA.pm] Perlmonks compromised

yary not.com at gmail.com
Thu Jul 30 11:47:09 PDT 2009


On Thu, Jul 30, 2009 at 11:08 AM, frosty<biztos at mac.com> wrote:
...> Try it yourself.  Oh joy.  I think it's 8 but I'm too busy to
re-check right now.

Right, I went and changed my password yesterday (old password was
random sting of chars, not one of my usual re-usable ones, phew)- and
couldn't log in today, not realizing that my new password was more
then 8 chars! When I trimmed it down, it works.

funny thing is, one of my early projects I used "crypt" to obfuscate
the passwords, which only works on the first 8 chars. Had a complaint
from a user that when they changed the end of their long password, it
was still accepted, and ended up using a more sophistcated hash in a
later release. An 8-char password limit implies at least "crypt"-level
hashing, which these days is not much better then plaintext- strange
that perlmonks gave the limitation but not the benefit, even as small
a benefit as crypt is!

> Also, considering how big of a rookie move this is for a site full of dev experts,
> I'm completely underwhelmed with the response from Perlmonks so far.

Agreed. It is a good place to get questions answered properly, and it
is a site run as a hobby/non-profit so I don't expect huge
person-hours thown at security- but I do expect this breach to be
taken more seriously than it has been. Take the server down to fix
what can be fiexed, change the passwords, and send an email to
everyone because they might not have found out yet otherwise... it
doesn't have to be done quickly by a team, it's OK if the site is down
a while... all those ideas already posted on threads on perlmonks
repeatedly by various folks already.


More information about the SanFrancisco-pm mailing list