There’s More Than One Way to Store a Password – PerlMonks Hacked

nirvana-smells-like-teen-52041Hackers are in a state of Nirvana as it would appear they hit the gold mine of programmer passwords in a hack of the popular Perl forums and resource site, PerlMonks.com yesterday.  The hack claims to have gained access to the database of more than 50,000 passwords, which insanely were stored in plain text in the database for anyone to see.  The hackers subsequently published the list to several mirrored servers (I can’t find a link to verify, but it’s not something I would publish anyway), along with the following statement:

“There is a really simple reason we owned PerlMonks: we couldn’t resist more than 50,000 unencrypted programmer passwords.

That’s right, unhashed. Just sitting in the database. From which they save convenient backups for us.

Believe it or not, there is actually debate at perlmonks about whether or not this is a good idea. Let’s just settle the argument right now and say it was an idea that children with mental disabilities would be smart enough to scoff at. We considered patching this for you but we were just too busy and lazy. I’m sure you can figure it out yourselves.

This isn’t a bad set of passwords, either. Programmers have access to interesting things. These Perl guys are alright, just a little dumb apparently. A lot of them reuse. You can explore them yourselves, I really do not want to point out anyone in particular.

In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?

Not worth our time ;)”

It’s unclear exactly who, and how many were compromised, but the site is recommending all who have previously had accounts on PerlMonks.com to change their passwords immediately.  In addition, one of the worlds largest repositories of open source code, the CPAN network, has also recommended that its authors change their passwords, as evidently somehow the two sites are connected.

As a Perl developer, and CPAN author, this is a bit concerning.  First, it would be one issue if this were just some random group of people whose passwords had been hacked, but this is a database of tens of thousands of developers, probably most with root access to the machines they write code on, and according to the hackers, many using passwords that are being re-used elsewhere.  These are the passwords of developers like Chromatic, Brian D Foy, Andy Lester, engineers at major corporations and government entities, and more.  The hackers couldn’t have picked a worse server to crack and expose.

I’m baffled at what the PerlMonks developers and admins were thinking storing their passwords in plain-text, something that, in my own opinion is amateurish, and should have some sort of repercussions at their lack of responsibility in handling their users passwords.  This is something that not only has been in Perl since version 1.0, but has also been integrated natively in almost every database environment on the planet.  That said, there is no privacy policy that I can see on the PerlMonks website, so maybe the users should have paid better attention.  I don’t expect the PerlMonks admins to say that, though. I’m ashamed as a Perl developer, and this gives a huge black eye to the entire Perl community.  It only gives further validation to the rest of the world’s claims that Perl is for messy code.

I hope the PerlMonks developers and admins can make right of this situation and not only fix their database, but make amends with the community, and the rest of the world, whose trust they just violated. After this, I’m seriously considering switching to another language for my next project.

Advertisements

24 thoughts on “There’s More Than One Way to Store a Password – PerlMonks Hacked

  1. Just to clarify, the CPAN has it's own completely independent security system.

    The problem is that after looking in the PAUSE database for matching passwords (something we could ONLY do we had the perlmonks plaintext and could hash them using our scheme and compare with the hashes in the CPAN database) we found that a noticeable number of CPAN authors had shared passwords (each on independently on their own) across the two sites.

    All of the relevant people with a password that matches the list of exposed passwords (regardless of who they are) have been locked out of PAUSE.

    Like

  2. Don't use computers either – do you know how many flaws and bugs are in there :).

    Funny, that exploits to hack PHP-based sites are frequently written in Perl.

    Like

  3. Sasha: Indeed. And I have to say, I thought we (the Perl community) were let off rather lightly compared to the others in that zine. And there seemed to be no real malice there.

    More of a “You had it coming”

    Like

  4. Not excusing anything, but FWIW, the number of developers was about 3-6 young people, some 10 years ago ( development crawled to a trickle years ago).
    The number of admins (volunteers) is about 3-6 people. They were aware of the problem, it was in the TODO que.

    Like

  5. Thanks for the info, I'm a member at perlmonks and no, they have not really apologized sufficiently for the amateurish plain text, tho they at least did not try to conceal the fact, which I'm sure should be embarrassing enough to serve as punishment 😉 It does fuel my conviction that the “elite” at perlmonks are slightly in-bred and prone to hypocrisy, but it's still a great place to get a lot of good help quickly.

    As for you “seriously considering switching to another language for my next project”: is that a perl-baiting joke, or just because you don't really use perl much to start with? The naysayers are just jealous and bitter, as anyone who knows can tell you.

    Like

  6. Tye, I have written Perl as my primary language since 1998. I definitely
    “use Perl much”. I have to admit I have not been impressed with some of the
    amateurish decisions and events that have taken place recently in the Perl
    community though. Add to that the fact that most 3rd party APIs are now
    writing official libraries for PHP, Python, and Java and excluding Perl, I'm
    seriously considering another language for my next project as the logical
    choice.
    I'd love to see Perl succeed, but seeing crazy things like this by people
    that know better really turns me off. Switching from Perl would be a big
    deal for me, and not something I would take lightly.

    Like

  7. Tye, I have written Perl as my primary language since 1998. I definitely
    “use Perl much”. I have to admit I have not been impressed with some of the
    amateurish decisions and events that have taken place recently in the Perl
    community though. Add to that the fact that most 3rd party APIs are now
    writing official libraries for PHP, Python, and Java and excluding Perl, I'm
    seriously considering another language for my next project as the logical
    choice.
    I'd love to see Perl succeed, but seeing crazy things like this by people
    that know better really turns me off. Switching from Perl would be a big
    deal for me, and not something I would take lightly.

    Like

  8. Tye, I have written Perl as my primary language since 1998. I definitely
    “use Perl much”. I have to admit I have not been impressed with some of the
    amateurish decisions and events that have taken place recently in the Perl
    community though. Add to that the fact that most 3rd party APIs are now
    writing official libraries for PHP, Python, and Java and excluding Perl, I'm
    seriously considering another language for my next project as the logical
    choice.
    I'd love to see Perl succeed, but seeing crazy things like this by people
    that know better really turns me off. Switching from Perl would be a big
    deal for me, and not something I would take lightly.

    Like

  9. Even without this, Perlmonks is a bit of an embarrassment. The user interface is awful, the response times are slow, it's really an advertisement against Perl. It's sad that given how crappy of a language PHP is, how much better the tools built in it are than the tools available for Perl.

    Like

  10. Even without this, Perlmonks is a bit of an embarrassment. The user interface is awful, the response times are slow, it's really an advertisement against Perl. It's sad that given how crappy of a language PHP is, how much better the tools built in it are than the tools available for Perl.

    Like

  11. Tye, I have written Perl as my primary language since 1998. I definitely
    “use Perl much”. I have to admit I have not been impressed with some of the
    amateurish decisions and events that have taken place recently in the Perl
    community though. Add to that the fact that most 3rd party APIs are now
    writing official libraries for PHP, Python, and Java and excluding Perl, I'm
    seriously considering another language for my next project as the logical
    choice.
    I'd love to see Perl succeed, but seeing crazy things like this by people
    that know better really turns me off. Switching from Perl would be a big
    deal for me, and not something I would take lightly.

    Like

  12. Tye, I have written Perl as my primary language since 1998. I definitely
    “use Perl much”. I have to admit I have not been impressed with some of the
    amateurish decisions and events that have taken place recently in the Perl
    community though. Add to that the fact that most 3rd party APIs are now
    writing official libraries for PHP, Python, and Java and excluding Perl, I'm
    seriously considering another language for my next project as the logical
    choice.
    I'd love to see Perl succeed, but seeing crazy things like this by people
    that know better really turns me off. Switching from Perl would be a big
    deal for me, and not something I would take lightly.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s