On Sun, Jan 26, 2014 at 5:02 PM, Erez Schatz wrote: > At least they are somewhat encrypted. I recall the perlmonks fuckup when > it turned out they store passwords in plain text. > > This is supposedly the storefront of the Perl community, and those things > keep making everyone look unprofessional. >
I read the explanation: http://blogs.perl.org/users/meta/2014/01/security-breach.html I liked how "the patch was released out of band" - i.e. totally not our fault for not applying it. (no matter that a new version was released afterwards with the patch - they don't follow that either.) "We have applied patch to MT to use SHA 512" - i.e. we copied that part from a recent version and put it inside. "we would have preferred bcrypt but..." - that one really knocked me off. in the two functions that you copied, you couldn't search-replace sha_512 functions with the bcrypt functions? seriously? And that is just funny: "with 96 bits of high-grade entropy as a salt". somebody don't know what salt is for. So after years of neglect, the system finally broke down, and the solution, as we all know, is clear: rewrite in different language / platform. I should copy-paste one of gabor's rants here. Shmuel.
_______________________________________________ Perl mailing list Perl@perl.org.il http://mail.perl.org.il/mailman/listinfo/perl
