PerlMonks has been hacked, and someone (or more likely a group of people) will perhaps feel the requisite brand of shame over the fact that a lot of people's passwords were leaked, because they were stored in clear text. Not only does that constitute a poor technological solution, it's also putting other people's entrusted private information, and parts of their digital identity, at risk. With people's privacy comes great responsibility.
Anyway, I took the leaked passwords and ran them through a script to get a bit of statistics on the different types of passwords used by a representative slice of the Perlmonks users:
total 567 (100.00%)
alphanumerics-only 517 ( 91.18%)
digits-only 9 ( 1.59%)
letters-only 233 ( 41.09%)
letters&u-score 2 ( 0.35%)
letters&digits 277 ( 48.85%)
letters&1digit 103 ( 18.17%)
letters&2digits 89 ( 15.70%)
letters&3digits 39 ( 6.88%)
letters&4digits 36 ( 6.35%)
letters&5digits 9 ( 1.59%)
letters&6digits 1 ( 0.18%)
with non-alnums 50 ( 8.82%)
1 non-alnum 34 ( 6.00%)
2 non-alnums 14 ( 2.47%)
3 non-alnums 2 ( 0.35%)
Here's the source code, a simple Perl 6 script. The source data is easy to find, but I'm not going to link to it.
Re:What would interest me more...
Ovid on 2009-07-29T21:17:10
The problem is a bit worse than what the data implies. I won't speak for others, but quite some time ago, I received some email implying that someone was trying to get my password. Since I had been bad and reused a password, I immediately changed mine to a unique password. Now, I have a different password management system whereby I have unique, very hard to guess passwords for most critical sites.
In the case of Perlmonks, I switched mine to pineappl. I really didn't care if that account got hacked and I deliberately chose an easy-to-remember password (why that one would be easy for me to remember for that site is something no one would guess
:). However, you'll note that I left off the final 'e' in that word. That's because apparently, passwords are limited to eight characters! That makes hacking passwords much easier. I also note in reviewing people's passwords that many people have chosen passwords for, um, curious reasons.
I'd like to draw some attention to the analyzing script.
Please notice how masak uses regexes and junctions of regexes as matchers, and doesn't need to distinguish them where he uses them.
Also note that the use of the cross operator 'X' means that he has to use only one loop (instead of two nested loops).
I really like that code. And I can't think of any Perl 6 feature (at least not off the top of my head) that would make that code even nicer, but is not yet implemented in Rakudo.
Re:Elegant Perl 6
slanning on 2009-07-30T20:04:26
My reaction at seeing that code was something like horror - like seeing someone whose lips, nose, and eyelids have been cut off. Like you're talking to someone, and all you can think of is their bones underneath that will be left when they've died and rotted away. Surely that's not Perl. Surely!
Will that feeling ever go away?
:) I want it to seem awesome, too. Re:Elegant Perl 6
masak on 2009-07-30T21:31:10
Um, I don't recall having such a reaction when reading Perl 6 code. But OTOH I learned it through the Apocalypses, so I only saw small pieces of it at a time.
My advice to you is to write something in Perl 6 yourself, and then come back and report whether the feeling seems to subside, or at least lessen somewhat.
Re:Intersection of PerlMonk and CPAN Credentials
ivanwills on 2009-07-30T20:12:59
I believe that they are emailing CPAN authorshttp://www.dagolden.com/index.php/358/perl-whipupitude-to-the-rescue/
(Luckly for me the last time I used PerlMonks I had forgotten my password so my password was set to the default forgotten password email's, but I still think I will go and change many of my passwords)
Re:Intersection of PerlMonk and CPAN Credentials
jrockway on 2009-07-30T23:56:28
I tested the first few passwords that had @cpan.org email addresses. All of the people at the beginning of the list used their perlmonks password as their PAUSE password. After about three of these, I got depressed and stopped.Re:Intersection of PerlMonk and CPAN Credentials
ysth on 2009-08-02T19:26:29
"the same or similar" is a hard test.
Work is being done to try to identify any reused passwords (not limited to the published ones).
Who uses their good password for a discussion site, though? I can see if this was a list of online bank passwords how it'd be valuable, but honestly, if I could use a blank string as a password for these sites, I would. Who cares if someone posts a message "as me"?
I liked larry's password the best, ">=6chars". (Presumably in response to a message like, "your password must be greater than or equal to 6 chars". Brilliant!)
At least two passwords contained embedded whitespace. How many contained leading or trailing whitespace? IIRC, the source data was not formatted in a way that even preserved those, so who knows?
Re:Fail(!)
masak on 2009-07-31T06:57:59
You're completely right, I didn't take that into account. Nor do I see a way to do so, given the source data.
Re:Who cares?
masak on 2009-07-31T15:16:28
I thought it would be interesting to do some analysis on the leaked passwords, that's all. We all have a pretty good idea of what makes for a strong password, and this was a chance to see how strong passwords some of the more high-profile Perl users out there were using. In that sense, the strength of compromised passwords is significant, because it gives us an unusual insight.
I don't think I explained that clearly in the blog post. This was my way of generating a marginally useful blog post out of a negative-publicity event. It was also an excuse to write a Perl 6 script.