Drupal.org User Accounts Compromised

An anonymous reader writes "The Drupal.org team released a bulletin this evening notifying users of a breach in their infrastructure. From the bulletin: 'The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org. This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords... All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted.' Users are encouraged to update their Drupal.org passwords and the passwords of any accounts that could be linked via the compromised information."

The End of Passwords

[rueger]

I'll admit to a) reusing the same password on most forums, since it largely wouldn't matter if someone accessed them. b) using shorter passwords for most stuff, and long complex ones for the handful of places that actually need security, a c) Using the "Forgot Password?" link on most web sites that I don't visit often and just accepting whatever reset they offer.

It's time to acknowledge that passwords are an idea that has come and gone. Too much hassle. Too many different password specifications from site to site. Too many to remember. Too many poorly constructed sites trying to tell users that bad security is their fault for not have super long and complex passwords. Too many sites where I actually now have three or four user IDs and passwords because I couldn't remember the last password I used there, or had changed my e-mail address since last visiting.

And too many sites, banks especially, that still demand to know my mother's maiden name, or worse yet, arcana from my youth that I don't even remember. My first pet's name? My favourite TV show? I have no idea. Or likely would answer that differently a month from now.

It's no wonder that most people ignore all of the password edicts that are thrown at them, and never change anything, and use the same password everywhere.

Surely we can develop some new way of confirming people's identity that allows us to abandon the idea of passwords? I vote for an RFID pinky ring with a plug in USB reader on my computer.

Re:The End of Passwords

[SplatMan_DK]

Sounds like you need a simple mechanism for unique passwords. I have a suggestion for you to consider.

Personally - I "salt" a standard password with the name of the website: the first initial of each of the words in a site's name for example. If my 'standard' password was for example "Aware20130530ness", and I was signing up for slashdot, I can simply add the letters to the start of the password, resulting in "sdAware20130530ness"

Right, clever boy, and now that you have revealed this, it will be trivial for any cracker to include this pattern in their decryption script ... if it isn't already there (which is not impossible at all). Commonly used patterns such as the one you describe can be identified mathematically and easily applied to the decryption process. The added work of even 100 patterns absolutely pales in comparison to real brute-force, so you should expect crackers to get past your "salt" real easy.

Making patterns like yours from the name of the website, or information in the usertable, is standard operating procedure when cracking.

Stop doing it. It does little to help you. At the very least you should use a pattern containing characters not present in the website name, and not present in your user properties on the site in question.

- Jesper

Re:what is the third party software?

[kbahey]

It is known, but they did not name it publicly because the investigation is still ongoing.