[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wiki.debian.org password reset

On Mon, Jan 07, 2013 at 10:54:19PM +0000, Steve McIntyre wrote:
> On Mon, Jan 07, 2013 at 09:19:09PM +0000, Colin Watson wrote:
> >On Sun, Jan 06, 2013 at 10:39:31PM +0000, Luca Filipozzi wrote:
> >> Please recall our recent email regarding the moinmoin [1] vulnerability [2] and
> >> the penetration of Debian's wiki [3].  We have reset all password hashes and
> >> sent individual notification to all Debian wiki account holders with
> >> instructions on how to recover (and thereby reset) their passwords [4].  More
> >> technical details about the attack are available [5].
> >
> >Thanks.  I noticed that my passwords on wiki.debian.org and
> >wiki.debconf.org were identical, but my password on wiki.debconf.org had
> >not been automatically reset.  Perhaps it's worth auditing for this,
> >since I suspect this is not uncommon?
> 
> Hi Colin,
> 
> That's a nice idea, but the two wikis are entirely separate and both
> store hashed passwords. It's difficult for us to tell if users are
> using the same passwords on each system.

Ah, fair enough.  Damn that security ;-)

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: