[tpm] UNS: Re: Perlmonks problems
Adam Prime
adam.prime at utoronto.ca
Fri Aug 7 07:09:49 PDT 2009
Perlmonks is based off of the everything engine. use.perl.org is based
off of slash.
Adam
Abram Hindle wrote:
> I think Perlmonks runs off of slashcode, which was made by Rob Malda (I
> think). If one wants to recover passwords they have to be plaintext, but
> really Rob should've known better. I suspect this is just a legacy app
> problem.
>
> That said, any website who can send you your old password, is storing it
> in a readable format.
>
> It doesn't matter if it is plaintext or not, if it isn't hashed well it
> is recoverable when the machine is compromised.
>
> abram
>
> Madison Kelly wrote:
>> Abram Hindle wrote:
>>> If you forgot your password you could always check:
>>>
>>> http://r00tsecurity.org/files/zf05.txt
>>>
>>> Just search for "larry wall" and you'll find the relevant section.
>>>
>>> abram
>> I've always understood that storing plain-text passwords was very, very
>> bad. I am quite surprised that a site like Perlmonks did this. Why would
>> anyone not store a hash of the passwords these days?
>>
>> I went through this a few months back when the phpBB site was
>> compromised and was very upset. Now here we go again. I am not upset
>> that perlmonks was compromised... it happens. I am very upset though
>> that they didn't seem to take the time to store password hashes instead.
>>
>> Am I being too hard on them? What justification could there be for this?
>>
>> Madi
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> toronto-pm mailing list
> toronto-pm at pm.org
> http://mail.pm.org/mailman/listinfo/toronto-pm
More information about the toronto-pm
mailing list