Re: wiki.debian.org password reset
On Mon, Jan 07, 2013 at 02:28:20AM +0000, Luca Filipozzi wrote:
> On Mon, Jan 07, 2013 at 12:57:38PM +1100, Andrew McGlashan wrote:
> > What I want to know is the following....
> >
> > Do you perform hardening practices such as described at this page:
> >
> > http://crackstation.net/hashing-security.htm
>
> lucaf@portabofh:~$ curl http://crackstation.net/hashing-security.htm
> Count not connect to PHPCount MySQL server!
> lucaf@portabofh:~$
Having looked at Google's cached version of that page...
> > - if so, then we should be safe, if not, WHY NOT?
>
> That site is broken (see above).
moin 1.9.x uses SSHA (salted SHA1):
http://moinmo.in/MoinMoin2.0/SecurePasswordStorage
It is understood that SHA1 is outdated.
We've begun a discussion regarding using a newer hash algorithm and possibly a
key stretching algorithm.
> Please consider adding debian-www@lists.debian.org and/or
> debian-admin@debian.org to the thread if/when you reply.
I've done this.
Cheers,
Luca
--
Luca Filipozzi
Member, Debian System Administration Team
Reply to: