[tpm] UNS: Re: Perlmonks problems
Abram Hindle
abram.hindle at softwareprocess.us
Fri Aug 7 06:12:32 PDT 2009
I think Perlmonks runs off of slashcode, which was made by Rob Malda (I
think). If one wants to recover passwords they have to be plaintext, but
really Rob should've known better. I suspect this is just a legacy app
problem.
That said, any website who can send you your old password, is storing it
in a readable format.
It doesn't matter if it is plaintext or not, if it isn't hashed well it
is recoverable when the machine is compromised.
abram
Madison Kelly wrote:
> Abram Hindle wrote:
>>
>> If you forgot your password you could always check:
>>
>> http://r00tsecurity.org/files/zf05.txt
>>
>> Just search for "larry wall" and you'll find the relevant section.
>>
>> abram
>
> I've always understood that storing plain-text passwords was very, very
> bad. I am quite surprised that a site like Perlmonks did this. Why would
> anyone not store a hash of the passwords these days?
>
> I went through this a few months back when the phpBB site was
> compromised and was very upset. Now here we go again. I am not upset
> that perlmonks was compromised... it happens. I am very upset though
> that they didn't seem to take the time to store password hashes instead.
>
> Am I being too hard on them? What justification could there be for this?
>
> Madi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20090807/9c05aeb0/attachment.bin>
More information about the toronto-pm
mailing list