So, this meditation is about anger management. Or maybe failed anger management. You will notice an abrupt end, at a point where I just wanted to yell at everyone.

I stumbled over an old thread, Is there a Perl authentication and authorisation framework for CGI web application?, where Your Mother gave this really good answer:

Password recovery means passwords are stored in a readable fashion and this is a worst practice, so it’s just as well it doesn’t do it.

And that reminds me of an even older thread, What happened?. Linked from there, there is Status of Recent User Information Leak, with the following promise:

Strengthening Authentication

The administrators are planning to implement hashed passwords (allowing more than 8 chars).

What happened since then?

This is what I found in Tidings through 2014-11-10 atfer visiting Tidings:

10-character passwords now allowed

Jun 10, 2012 at 06:30 CEST

PerlMonks forms used to specify a maximum password length of 8 characters while it was possible to give yourself a 10-character password by bypassing these forms. Now the forms specify a maximum password length of 10 characters.

I must have missed something. It must be so. I don't want to believe that it took three f***ing years to increase the password length by just two characters and call that "case closed". I don't want to believe that after 7.5 years, perlmonks still stores passwords unhashed, unsalted in plain text.

But still, there is a link to What's my password? on the login form, it still requires just a username or a mail address, and it sends me my password in plain text in an unencrypted mail, together with my username!

Hey there.

You or someone else has requested a password for your username or e-mail address.

Before you freak out, take a few deep breaths and remember that it's YOU and not THEM who is getting this password.

Here's your info:

username: afoken

passwd: *****

human name: Alexander Foken

love, the management

http://perlmonks.org/

WHAT THE F**K?!

Yes, I took a deep breath. Several. I slowly counted to 100. Several times.

But:

ARE YOU KIDDING ME?!

7.5 years and nothing relevant has changed. Perlmonks passwords are obviously still stored in plain text, or in a form that can be decrypted on the server, which is as bad as plain text.

That's a login system that would make the worst amateurs blush.

People have been told for years to avoid MD5 hashes because they are insecure. People have been told for years to salt hashes with long, random salts, and to use really expensive hash functions, like bcrypt or PBKDF2.

Yet, perlmonks still uses plain text passwords, 7.5 years after many, if not all, passwords have been copied by some script kiddies? And to add insult to injury, perlmonks happily sends out login name and password in plain text. No traces of a time-limited one-time link for setting a new password. No trace of even the simplest way, sending out one mail with the username, and a second one with the password.

Alexander