WordPress.org Hacked, Plugin Repository Compromised

An anonymous reader writes "Back in April hackers gained access to the WordPress.com servers and exposed passwords/API keys for Twitter and Facebook accounts. Now, hackers gained access to Wordpress.org and the plugin repository. Malicious code was found in several commits including popular plugins such as AddThis, WPtouch, or W3 Total Cache. Matt Mullenweg decided to force-reset all passwords on WordPress.org. This is a great reminder for all users not use the same password for two different services."

A great remainder...

[hammarlund]

and a great reminder as well.

Re:A great remainder...

[denis-The-menace]

5/2=2
1 is the remainder.

Idiocracy here we come!

Re:A great remainder...

[pushing-robot]

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

Re:A great remainder...

[BarryJacobsen]

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

But the typos are a subtraction.

Re:A great remainder...

[DrBoumBoum]

And in addition to that a distraction.

Re:A great remainder...

[Mordok-DestroyerOfWo]

Multiplying the discord among slashdotters!

Re:A great remainder...

[Thud457]

I don't appreciate your divisive comments!

Re:A great remainder...

[Tetsujin]

Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

Please excuse my dear aunt Sally. She's very pedantic about these sorts of issues.

Does that mean...

[ArsenneLupin]

... that Wordpress will now stop replacing quotes and doublequotes in users' contributions with bird droppings?

If so, yay!

Year of the Hacker

[wjousts]

It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

Gonna be a tough year for IT security "professionals".

Re:Year of the Hacker

[SatanClauz]

Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

Re:Year of the Hacker

Tough? Lucrative is more the word I would use.Imagine all those CTO's messing themselves that they could be next, willing to pay over the odds to get a quick fix in.

Make hay while the sun shines!

Re:Year of the Hacker

[wiredog]

That's been every year since, oh, sometime in the last quarter of the last century.

Re:Year of the Hacker

[ygbsm]

You mean year of the criminal scum bag, right? Its time our community quit treating some of these guys like heros and freedom fighters - they're vandals, crooks, and theives, and need to be treated as such. There are no "grey hats" - you're either a white hat or a black hat, and you can't be both.

Re:Year of the Hacker

[Hatta]

They're *all* grey hats.

Re:Year of the Hacker

[ArhcAngel]

That sounds eerily similar to what the king of England said a little over 200 years ago when tea was dumped in a harbor by some "criminals".

Re:Year of the Hacker

[nicolastheadept]

Yep "criminals". Slave owning, native killing, tax dodging "criminals".

Re:Year of the Hacker

[billcopc]

Don't delude yourself. Without these high-profile vandals, we'd all be running around with "1-2-3-4-5" as our password, ripe for the real bad guys to plunder. At least these pranksters are raising awareness while causing relatively small damage.

I'm still amazed at the frequency of these high-profile breaches, mostly because developers and business owners should know better by now, but that's largely because I easily forget the fact that most people are terminally stupid. I distinctly recall one morning when I walked into the office around 11 a.m., all the guys were huddled over the boss' desk, staring at the results of a SQL injection attack. By the crack of noon, the vandalism was cleaned up, and I had written a 10-line script to prevent future SQL attacks across our entire cluster of web servers, hosting hundreds of sites. It really is that easy in 99.9% of all cases, I mean we're dealing with web sites here. You're either GETting a page or POSTing data. If a developer can't be bothered to sanitize their numbers and escape their strings before passing them to the database, that person deserves to get hacked and then sued for quackery. You can literally automate the whole process. Sure it "wastes" a few CPU cycles, much like deadbolts "waste" an inch of door jamb space.

If 2011 is the year of the digital vandal, I say bring it on. These days it takes a disaster to shake people out of their catatonic mental state anyway.

Re:Year of the Hacker

[wjousts]

Yes. I don't consider them heroes either. At best they are an angry mob, and mob rule isn't a desirable thing either.

Re:Year of the Hacker

[wjousts]

That was kinda my point. It's going to be the year when the "professionals" get separated from the Professionals.

Re:Year of the Hacker

[S.O.B.]

I think it's more basic than that, business units in big corps need to realize that they have to stop squeezing IT budgets. I've personally had to to fight for security and stability fixes/patches because if they can't see it then they won't pay for it. Of course there's always plenty of money for a new feature or a new pretty graphic.

They have security professionals but any actions they recommend that actually cost money are ignored or deferred until they have an actual problem.

Re:Year of the Hacker

[Jawnn]

Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

Word. Maybe, just maybe, some suits will decide that, "Gee. Maybe we should spend some serious money on security..."
You know, like actually real actual security professionals and buy basic tools that would prevent many of hacks we've read about.
[pauses...] Naaaahh.

Re:Year of the Hacker

[SatanClauz]

Ah, yes. Good point! You mean the custodian's brother that knows how to turn on windows firewall shouldn't be doing my security? =cO

Re:Year of the Hacker

[CastrTroy]

The problem is that there is no proper definition of "professionals" as far as computer security is concerned. Professional usually means somebody that is licensed by a state overseen organization to work in a specific field. This includes medical doctors, lawyers, engineers (some countries), and accountants among others. I don't believe that there exists any similar oversight for licensing of computer network security personnel. There are a lot of certifications put out by the likes of Cisco, Oracle, MS, and others, but often these certifications don't actually mean that the holder of the certificate really knows all that much. Not only that, it's not like you would lose your certification if it was found that you were actually incompetent, as would happen with other professions. Also worth noting is that some of the most knowledgeable computer security experts hold no kind of certification at all, save for a university degree, and even many don't have that (not saying it's needed). Setting up an accreditation board and getting laws requiring that companies use professionals when designing their systems will probably take decades, if it ever happens, even at the rate that these systems are currently being cracked. Not only that, but there's a big question of who has to employ professionals in the first place. Am I required to hire one if I run a web server in my house. What about if I run a game server for one of those facebook games? What about if I run a simple store, but only use paypal, thereby not getting any credit card information directly. At what level do we require that a network required accredited professionals? Basically the point is, we all know we need this at some level, but defining that level is quite difficult. And for any service that eventually requires accredited professionals, be prepared for the costs to skyrocket, just as has happened in every other industry that requires professionals.

Re:Year of the Hacker

[lthorne]

Just stop using wordpress on old versions of apache. It's really quite simple. www.infaCORE.com is a far better solution and it cannot get SQL injected. Ever! Go ahead and try.

Re:Year of the Hacker

Yeah, because all rebellious people that perform destructive acts are equally justified.
Back to school with ye!

Re:Year of the Hacker

[X.25]

It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

Gonna be a tough year for IT security "professionals".

Professionals left that world and went onto other things when suits concluded that security products are enough.

So now, it'll be hackers vs security products and trained monkeys. Fun all around.

Re:Year of the Hacker

[Lumpy]

They hire minimum wage lackeys for the physical security... what makes you think they will hire someone skilled for the IT security?

Re:Year of the Hacker

[sqldr]

I can't wait for this year's version of this:

http://pwnies.com/
We all had a good laugh at microsoft's CSS "protection" code, but compared to this year, microsoft are starting to look quite good..

Re:Year of the Hacker

[MrNemesis]

people finally realize security "professionals" are actually NEEDED!

Or, if you know some of the people I've worked with, it'll be more a "as soon as the authorities have caught up with these LulzSec people, there won't be any more haXx0ring vectors, so what's the point in patching the servers? It's not like WE'D be a target anyway!". IME most companies won't give a shit about easily enforced and executed pre-emptive security until there's a thousand trojans running around the network and the entire company is fucked, and by then its too late.

If you're working for a company that doesn't think security is important enough to employ someone to be responsible for it, the actions of people like LulzSec aren't going to convince them otherwise. This coming from a sysadmin who's finally overcome a decade-old "don't patch ANYTHING once it enters production, not even the clients" mindset and now has the fun task of installing an average of 120 patches and three service packs on 300 servers. It took two branch offices getting their computers totalled by malware coming in on USB sticks before management got that particular message.

Re:Year of the Hacker

One mans Terrorist is another's Freedom Fighter. I know which side you're on.

Re:Year of the Hacker

More like the year security firms see skyrocketing profits...

plain text.... really?

[datapharmer]

Perhaps someone is just sniffing their email They send all the password plain text! WTF mate?

Re:plain text.... really?

[L-four]

bitches dont know about my plain text passwords.

store hash instead of password

Is it too difficult to, instead of storing the actual passwords, store a hash and during authorization just compare the hashes?

Re:store hash instead of password

[Otto]

WordPress does only store password hashes, using the PHPass hashing library.

Re:store hash instead of password

[Phreakiture]

That's fine until someone comes along with a rainbow table . . .

Re:store hash instead of password

[KiloByte]

That's bland. Needs salt.

Re:store hash instead of password

That's a typical bullshit comment. Instead of generalizing your stance, back it up with empirical proof, kiddie.

Re:store hash instead of password

[ChrisMP1]

Three out of your last six posts were self-promotion. Go away.

Re:store hash instead of password

This is your second advertisement in this thread, attempting to capitalize on a hack that isn't part of the wordpress software, and I'm only halfway through. And yes, every single person here knows about salting and rainbow tables.

Please stop.

Re:store hash instead of password

[Phreakiture]

Dude! I wish I could mod you up for that.

A great reminder?

[iateyourcookies]

"This is a great remainder [sic] for all users not use the same password for two different services."

Not it's not. Not even slightly.

The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

Blaming the user here is unreasonable.

Re:A great reminder?

[madhatter256]

It is good practice to use multiple passwords for different services.

I do it and I have A LOT of passwords to memorize. Luckily, I wrote them down on a piece of paper and have that kept in a safe place as I do tend to forget those that I hardly visit from time to time.

Now I know writing passwords in a text document and saving it on your PC is stupid, but writing it down on a peice of paper isn't. It's about how it's written, if you write passwords and leave it in your jewelry box or personal safe or with your files, then the burglar steals that stuff and your PC, then they have easy access to all your accounts. But it you put it inside places like as a bookmark for a novel or tape it under your desk, then that's stuff a burglar wouldn't really take if they were in a hurry.

So it is ok to write them down, but put that in a place a would-be burglar wouldn't look... unless the FBI raid your house, they look everywhere for stuff.

Re:A great reminder?

[Otto]

Use an encrypted password storage system like 1Password or LastPass. Yes, it's not perfect, but what is? Passwords that don't look like line noise are vulnerable nowadays.

Re:A great reminder?

[somersault]

The user could just put the name of the website into the email. That will make it easy for someone to figure out their password scheme if they always use the same format of websitename-mypassword, but if they use it only for sites which store hashes, then it's going to be extremely unlikely that anyone will crack their passwords through pure brute force..

Re:A great reminder?

"This is a great remainder [sic] for all users not use the same password for two different services.

The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

Blaming the user here is unreasonable.

Could not agree more. I have several hundred site registrations, and I'm just a normal guy. Yeah....let's all use a different password on every site we visit. That'll work, no problem. How 'bout this? How 'bout WordPress.org (et. al.) gets their crap together and secures their site?

Re:A great reminder?

[pongo000]

While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

I was going to mod this up, but thought it might be a good time for my annual suggestion of using passphrases instead of random sequences of characters. Much easier to remember, and a short 3-word passphrase (maybe with a random character to increase entropy) usually satisfies the moronic "password strength" checks.

Re:A great reminder?

Based on recent events I would have to say the FBI don't raid your house and look everywhere, they'd just take your entire house.

Re:A great reminder?

Untrue. A password such as "Abc123...Abc123...Abc123...Abc123..." is actually much harder to brute-force than "5@f!Kl$agR$-=s2".

Re:A great reminder?

My password uses characters from the businesses name/URL somewhere in it. Each password is then unique and I only have to memorize the part of the password that doesn't change.

Re:A great reminder?

[BlackPignouf]

https://www.pwdhash.com/

You're welcome!

Re:A great reminder?

Who the fuck is "blaming the user" here, Mr. Strawmanbuilder?

Re:A great reminder?

[ccguy]

It is good practice to use multiple passwords for different services.

What good is that when you can reset/recover all passwords using the same email account?

Re:A great reminder?

[robmclarty]

Totally agree. Seriously, what have we got? Facebook, Google, Twitter, Github, Slashdot, Personal Sites, Banking, OmniAuth.... If I had a different, unique, strong password for each of these services my head would explode. Obviously you wouldn't want to use the same password for banking as you would for Twitter, but grouping things into manageable chunks is a must (e.g., all-social-networks-password, banking-password, all-personal-sites-password). But don't get me started on banks' online "security" with their forced 8-character-or-less-alphanumeric password systems (at least where I live in Canada... seriously, I make authentication systems all the time for clients; is it really that hard to allow users to determine the length and complexity of their own passwords?)

Re:A great reminder?

[Tsar]

"This is a great remainder [sic] for all users not use the same password for two different services."

Not [sic] it's not. Not even slightly.

Respectfully, I beg to differ. I'm running a password manager to keep track of all my passwords, online and otherwise. I'll never go back, and neither should you.

Except for my password to the app itself (which is absurdly long but memorized and periodically changed), all my passwords are unique, cryptographically secure random printable-character strings of the maximum length allowed by each system or 255 characters, whichever is shorter. I keep three deeply-encrypted copies stored remotely, so unless we lose North America, I'll never have a problem getting back into my Slashdot account.

Once I've entered my master password I only have to hit a system key combo to enter my credentials into any site, so after initial setup it's much more convenient than even using the same password everywhere. Yes, there are always potential security holes, but I believe that I'm managing them quite well, thank you.

I didn't realize how many sites I had login credentials for (well into the triple digits) until I set up this app. Most of them used one of a very small handful of passwords. What's worse, I sometimes tried several of those passwords before I got logged into a site, so a malicious site could easily keep track of those attempts and have the passwords for many of my other sites. Not any more. Changing a password isn't a chore anymore, because I don't have to re-memorize anything. I simply generate a password of the maximum allowed length and complexity, swap it out and move on. Finally, I don't have a photographic memory either, so it's good that I don't have to remember all the sites where I used the same password as I did on the current Hacked Site of the Day.

Re:A great reminder?

As if that was hard to do if planned properly:

http://blown-to-bits.blogspot.com/2011/05/passwords-part-two-of-two.html

Re:A great reminder?

Yeah, this _is_ a great reminder. Just use KeePassX (http://www.keepassx.org/) or something similar...

Re:A great reminder?

[not-my-real-name]

While it wouldn't be a good idea to write your password on a post-it stuck to your monitor at work, it might not be a bad idea to write your personal passwords for on-line services in a notebook that you keep at home. This way you can use multiple secure passwords for your on-line services.

Re:A great reminder?

[tlhIngan]

Also, there's also the level of importance of the site to the user.

Some random blogger's website? My NYTimes login? Minor forums I visit? I'll just use the same damn password. Who cares if it's hacked? So someone could post as me. If that site becomes more important, then I can always change the password later.

My online banking/paypal/ebay/amazon/windows live/google password? nice secure and different (all linked to valuable accounts and services). My twitter/blog/NYTimes/slashdot/gawker/etc password? simple ones because if they're hacked, well that's just an inconvenience that I'll have to make a new account.

Re:A great reminder?

[jank1887]

got it. will only ever log in from a single PC/mobile device. no need to remember more than 1 password evar.

Re:A great reminder?

[ZaMoose]

Their site wasn't compromised AFAICT. Three plugin developers' accounts were compromised (passwords guessed?) and SVN checkins containing backdoors were pushed into their respective (fairly popular) plugins. This was intended to push malware out to individual WordPress installs.

Re:A great reminder?

[Grauwyler]

It is good practice to use multiple passwords for different services.

What good is that when you can reset/recover all passwords using the same email account?

Then you just need a unique email account for each service that you sign up for.

Re:A great reminder?

[heypete]

Google Mail, as an example, supports two-factor authentication (either with a smartphone app, a pre-printed list of one-time codes, or SMS messages to mobile phones). Enabling this feature makes it much more difficult for bad guys to compromise an account.

Re:A great reminder?

I use KeePassX which works on PC, Mac, Linux, and Android. I share my encrypted library with DropBox (about to switch to SpiderOak). Never without my phone, so I have all of my passwords at a few keystrokes.

Wrong as usual

[gaspyy]

The summary is incorrect as usual.

Some contributors' accounts were compromised, resulting in updates containing backdoors appearing from those contributors. The blog entry mentions AddThis, WPtouch and W3 Total Cache. The WordPress.org plugin repository was not hacked.

Re:Now is the time

[gnapster]

Well, at least you're not racist.

Re:Now is the time

[Stenchwarrior]

Please say you were joking.

On behalf of the rest of us Americans, please understand that only less than half of the people in our country actually talk and act like this guy; It's not everyone, I assure you.

Re:Now is the time

[ciderbrew]

America / American is not a race.

Details on the malicious code?

Other than "backdoors", are there any details on what the malicious code in each of the plugins did? A simple back door isn't nearly as worrying if your exposure is limited to the time when you had the compromised plugin running but if the code made other more permanent changes or extracted information that would be a much bigger concern (and leave TONS of people with a huge cleanup effort to re-secure their sites).

Re:Details on the malicious code?

[Hatta]

If you've been hacked, you have to assume there's a root kit. Unless you have checksums for every file on the machine, and scan it from a system on read only media, there's no way to prove there's not a back door you haven't discovered yet.

AddThis

[Megane]

...and nothing of value was lost. (Thank you AdBlock Plus for letting me banish that piece of rollover crap.)

Re:Now is the time

[Lumpy]

"Who actually chants "USA! USA! USA!" in America?"

Alabama suicide bombers... Luckily they build the bombs themselves and end up exploding prematurely in a open field.

Re:Now is the time

[gnapster]

I didn't say it was.

Seems like black ops to me now.

[unity100]

there is WAY too many hacking going on. and for some twist of fate, this just predates the pending internet censorship/control scheme vote in american senate. and, american sources are attacked. way too many 'coincidence'.

either this is some shady operation, or there is no course called 'statistics' on this planet.

Re:Seems like black ops to me now.

And we all know from 'statistics' that correlation does not imply causation.

Re:Seems like black ops to me now.

[stderr_dk]

And we all know from 'statistics' that correlation does not imply causation.

...but it does waggle its eyebrows suggestively and gesture furtively while mouthing 'look over there'.

Re:Seems like black ops to me now.

[unity100]

when the correlation goes statistically improbably congruent, it implies causation - direct or indirect.

Re:Now is the time

They can be considered to be.

race2

[reys] Show IPA
–noun
1. a group of persons related by common descent or heredity.
2. a population so related.
3. Anthropology .
a. any of the traditional divisions of humankind, the commonest being the Caucasian, Mongoloid, and Negro, characterized by supposedly distinctive and universal physical characteristics: no longer in technical use.
b. an arbitrary classification of modern humans, sometimes, especially formerly, based on any or a combination of various physical characteristics, as skin color, facial form, or eye shape, and now frequently based on such genetic markers as blood groups.
c. a human population partially isolated reproductively from other populations, whose members share a greater degree of physical and genetic similarity with one another than with other humans.
4. a group of tribes or peoples forming an ethnic stock: the Slavic race.
5. any people united by common history, language, cultural traits, etc.: the Dutch race.

Completely irrelevant

[Dunbal]

This is a great remainder for all users not use the same password for two different services.

And how is this going to result in a hacked website? Breaking into a user account should not give you administrator privileges. No, this is a great reminder to secure your fucking website against SQL injection, once again. Never trust your users just because they are "logged in". Now of course if the administrator of the website was using the same login/password as his gmail account or something then yes, he should be shot.

Re:Now is the time

[lostmongoose]

Who actually chants "USA! USA! USA!" in America?

I worked with the wealthy snowbirds and the every day racism of Americans drove me back to Germany. Genuine hate towards foreigners from people who's great grand parents stole the land they live on today.

All in the name of freedom, progress and the good old US of A, fuck that, fuck them.

Oh my. A German chiding the people of other nations over hate. That's absolutely hilarious. I needed that laugh today.

Re:Now is the time

[SilentStaid]

Well, Philly is backwards - but it's not Southern.

http://www.myfoxphilly.com/dpp/sports/mlb/phillies/Osama_Bin_Laden_Dead_Citizens_Bank_Park_USA_Chants_050111

Updated AddThis on one of my sites on the 19th

[stephathome]

I think this may explain why, when I updated AddThis on some of my sites, it caused the white screen of death instead. So far the sites look ok, but now I need to go over them in more detail.

Summary is full of shit, as usual

[billcopc]

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back

Three popular plugins. Yes, they're popular, I've used all three on several sites.

THAT'S IT! That is the extent of the damage. Three plugin authors whose passwords were exposed. Nobody "gained access to [...] the plugin repository". Dear submitter, go back to kindergarten and learn to read. It's in the first two goddamned sentences.

This place has gone to the dogs... where the hell is a guy supposed to get his tech news anymore ?

Re:Summary is full of shit, as usual

where the hell is a guy supposed to get his tech news anymore ?

Try Ars Technica. The comments aren't threaded and therefore less easy to read, but their articles are a big step up from Slashdot. The only reason I still come here is to read comments.

Re:Summary is full of shit, as usual

[nstlgc]

So how did they get the passwords of those users in the first place? Why are you believing only those three were the only authors who's passwords were exposed?

And why I'm at it, why so butthurt? Do you have any personal stake in this?

Hackers get a life.

For 50-60% of the wordpress users are just that, normal people with a blog or a small business. Leave them alone your just hurting little people.

Re:Now is the time

[Danzigism]

Apparently you've never heard of Hacksaw Jim Duggan....

Re:Now is the time

[ciderbrew]

I didn't say you did.

Re:Now is the time

[torgis]

Oh my. A German chiding the people of other nations over hate. That's absolutely hilarious. I needed that laugh today.

Perhaps he feels qualified to comment; the Germans having had much experience in such matters.

Re:Now is the time

Look at the footage just after Osama Bin Laden was killed. There seemed to be no shortage of people doing exactly that.

Slayers episode 17: A great reminder?

[Tetsujin]

Yeah, this _is_ a great reminder. Just use KeePassX (http://www.keepassx.org/) or something similar...

I can't recommend this product highly enough. I've used Keep Ass X on my website for years, and I would certainly say it lived up to its promise of covering my ass!

Re:Now is the time

[gnapster]

Cool. Glad we're on the same page.

Re:Now is the time

[pubwvj]

"people who's great grand parents stole the land they live on today."

You obviously have no concept of historic reality. Everyone stole the land they're on unless they bought it. In the past buying was rare. Instead people invaded, conquored, killed, raped, intermarried, enslaved and merged in time. It was the way. Stop being such a nationalist bigot.

"USA" chanted in New York City

[perpenso]

Who actually chants "USA! USA! USA!" in America? Is that a southern thing, ...

Apparently you missed the coverage of Times Square the day Bin Laden was killed. There was no shortage of New York City residents chanting for the TV cameras.

Arrogance from the IT Department

[TellarHK]

As someone that's done a lot of end-user work, it annoys me to see the level of arrogance coming from posts like this one where the idea of using multiple passwords for different services is touted as the Only Responsible Way to do anything online.

It doesn't bother me because it's a bad idea, it bothers me because if it's so goddamned important - why haven't the companies that make our web browsers and operating systems put some fucking effort into building features for this into our infrastructure? I have accounts on dozens, if not _hundreds_ of sites, and the best I can manage for passwords is having a stable of a few passwords of increasing complexity dependent on how secure the site in question is. If it accesses my money in any way, it gets high-security. If it doesn't, it gets mid-security, if it's a hobbyist or community-run website it gets low security. On occasions, I need to change my low security password (such as the Gawker hit) but that's part of the game. When I needed to change it however, I needed to change it on dozens of websites.

Would a password management system be a good idea? Hell yes. Is it the best way to manage things? Sure, _as long as the repository is safe_. My problem with the arrogance noted above is due to the fact some people somehow magically expect normal users to do something that trained, knowledgeable IT people frequently consider too much of a pain in the ass to bother with.

If this is truly an important problem that needs to be tackled (protip: It is) then let's get some industry muscle put to work here. Get the HTML standard to include a password management and transmission feature, something robust enough to handle the hundreds of sites people may actually visit. Build the OSX Keychain into my web browser, instead of having to set up plugins like KeePass to do a job the browser should already be handling. Fucking do _something_ to improve this situation, on a wide-scale infrastructure level. It's not impossible. It just takes the right people to get it done.

Re:Arrogance from the IT Department

[horza]

See all comments above about KeePassX. It's childs play. It's not a browser plugin, it's an app you can run on any OS including mobile. It's a better solution than you are suggesting. If somebody can handle the concept of a purse or wallet, they can understand KeePassX.

Phillip.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The decision is mine, not yours

[pclminion]

This is a great remainder for all users not use the same password for two different services.

Not really. I divide my logins into two categories: stuff that, if it were all compromised simultaneously, would be inconvenient but otherwise no big deal; and everything else. In the "everything else" category, every password is unique. For the stuff that isn't life or lifestyle critical, I save myself some mental effort and just use the same password.

Oh noes, they got my Slashdot account, my account on some news website where I logged in once to respond to an idiotic comment, and my account on the website where everybody talks about frogs. I'm sooo scared. Seriously, the risk of it happening is pretty low (not the initial compromise, but the risk that they will go on to compromise ALL of my other accounts before I have a chance to react), and it certainly isn't worth the inconvenience of zillions of passwords on sites that aren't that important in the grand scheme of things.

Bank account logins, stock brokerage logins, passwords to my hosting provider and DNS registrar logins, etc., that stuff is all unique, and memorized, so it's not even written down anywhere even in encrypted form.

Where do security professionals come from?

Hackers become the security professionals and vice versa. They are some of the highest paid people in the computer world. And yes you should have a different randomly generated password for everything. Put it in a text file on your computer in a secure disk image or some similar depending on your os. Additionally people who make these systems should not be storing passwords plaintext. The least you could do is store message digests of passwords.

Re:Now is the time

[bill_mcgonigle]

"Who actually chants "USA! USA! USA!" in America?"

Northern "conservatives", of the nationalistic jingoist variety.

Well put Santa - I agree, 110%... apk

It'll happen when they get "hit" hard enough. It's like insurances I suppose. Nothing inspires any entity like that, the experience of being burnt or hurt by anything.

Sure - Fear's easy enough to sell, but protection vs. bad experiences? Even easier.

In a "StRaNgE" way, perhaps the boys from LuLzSec &/or Anonymous (plus the harder-core hacker/cracker types out there too) in their own weird way, are making some good come out of their bad.

It was much the same with computer viruses/malware really. Nobody did anything about them, until they got "NOOKED" by one. Same here too "back in the day" for me in DOS (McAfee was KING then & I bought into them).

It'll happen man, & some good comes out of the bad. Things do have a way of working out.

This, in turn, hopefully should be good for job creation in the IT field!

(Which job creation, not shit jobs, but well paying ones, & spurring them? That should be #1 on the US Gov't.'s agenda imo, more than anything, to save us economically really - give folks disposable extra income, they'll spend it... which in turn, allows Peter Business to pay his supplier Paul Business, & the economic engine's wheels start turning).

* Let's hope this all works out that way, right?

APK

P.S.=> Personally, I do think that the government's trying to do their part, based on the information from this site a this past week, & this may interest you IF you missed it here the other day:

---

Cybersecurity and the Internet Economy:

http://yro.slashdot.org/comments.pl?sid=2222868&cid=36379698

(I said much the same as you have here in fact there)

and

Feds Recruiting ISPs To Combat Cyber Threats:

http://yro.slashdot.org/comments.pl?sid=2250682&cid=36495130

---

Personally, I do *think* our politicians are trying, but... their hands get tied.

IMO @ least? "Big Money" REALLY "runs the show" out there, not our politicians.

( & the reason they HAVE big money is, they hold onto it, tightly... )

Plus, typically as I am certain you guys know, spending on SERIOUS security costs, so they omit that cost until they absolutely HAVE to implement it, seriously.

Small businesses perhaps aren't fully aware of it, they're in business & expert @ what THEY do, not computing too, so... there you are!

(At least from my perspective + experiences in the computing field since 1994 professionally @ least, such as it is (where I've seen & heard that "train-of-thought" before on the job over time the past decade a couple times in fact, @ diff. companies))

Hey - it's just the way it works I have found @ least, most times!

... apk

Shocked

[Pigskin-Referee]

I have read over 100 virtually useless comments on the events that transpired at Wordpress, yet not one individual, not even the nefarious "Anonymous Coward" has come forward and blamed Microsoft for this dastardly deed. This had led me to the only logical conclusion, a cold day in Hell has finally arrived.

Hashlink Generator Plugin

Hi,

i've wrote a usefull wordpress plugin. Hash links and generate pages to bring up your blogs popularity in search engines.

Vist my blog: Devcon
Try it out!

Greetings