Re: wiki.debian.org password reset

To: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
Cc: debian-www@lists.debian.org, debian-admin@debian.org
Subject: Re: wiki.debian.org password reset
From: Luca Filipozzi <lfilipoz@debian.org>
Date: Mon, 7 Jan 2013 02:42:06 +0000
Message-id: <[🔎] 20130107024206.GB15004@emyr.net>
In-reply-to: <20130107022820.GA15004@emyr.net>
References: <50EA2B92.5060202@affinityvision.com.au> <20130107022820.GA15004@emyr.net>

On Mon, Jan 07, 2013 at 02:28:20AM +0000, Luca Filipozzi wrote:
> On Mon, Jan 07, 2013 at 12:57:38PM +1100, Andrew McGlashan wrote:
> > What I want to know is the following....
> > 
> > Do you perform hardening practices such as described at this page:
> > 
> >    http://crackstation.net/hashing-security.htm
> 
> lucaf@portabofh:~$ curl  http://crackstation.net/hashing-security.htm
> Count not connect to PHPCount MySQL server!
> lucaf@portabofh:~$ 

Having looked at Google's cached version of that page...

> >  - if so, then we should be safe, if not, WHY NOT?
> 
> That site is broken (see above).

moin 1.9.x uses SSHA (salted SHA1):

http://moinmo.in/MoinMoin2.0/SecurePasswordStorage

It is understood that SHA1 is outdated.

We've begun a discussion regarding using a newer hash algorithm and possibly a
key stretching algorithm.

> Please consider adding debian-www@lists.debian.org and/or
> debian-admin@debian.org to the thread if/when you reply.

I've done this.

Cheers,

Luca

-- 
Luca Filipozzi
Member, Debian System Administration Team

Reply to:

Follow-Ups:
- Re: wiki.debian.org password reset
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Project Participants page: name errors.
Next by Date: Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
Previous by thread: Re: Project Participants page: name errors.
Next by thread: Re: wiki.debian.org password reset
Index(es):
- Date
- Thread