I’ve just got an email from typo3.org (where i have an account) informing me that their site was hacked and the users/passwords were stolen. So i should change my passwords on other sites if they are there too.
Here is a fragment from the email:
——————————————————-
We have to inform you that an unauthorized person has gained administrative
access to the TYPO3.org website.The offender had access to website user details including their passwords, and
there have been reports of this data being used to access other websites.
It also has to be expected that the data may have been disclosed to third
parties.Important!
IF YOU HAVE USED THE SAME PASSWORD ON ANY OTHER SITE, PLEASE CHANGE IT
IMMEDIATELY!We have set up an FAQ page at http://typo3.org/about/faq/t3org-issue/
The page may be updated with new questions from time to time, so make sure to
check back before replying to this mail.
——————————————————-
How stupid should someone be to store passwords in plain text ? Because i must suppose that they were stored in plain text. Sincerely i expected more from the typo3 guys. No matter how secure you think your application is you must always store passwords encrypted with some algorithm. Because if someone gains access to the database (it could be a hacker, it could be a former employee and so on) it will have much less to gain from that database.
This way typo3.org compromised probably hundreds if not thousands of people’s accounts on other sites. Sure it would be ideal to have a unique password for each site but as practice shows many people use same password everywhere or at least in many places.
4 comments
Actually, you don’t ever want to encrypt a password. Add a per-user salt and then hash the password. The hash is one-way, and the salt protects you from rainbow tables.
I’m curious why wouldn’t you want to encrypt it? I would encrypt it and generate a hash from the encrypted password. So it would be even more difficult to get something out of it.
Did anybody say something about plain text? typo3 uses typo3 that uses md5 hash for password encryption. Still, you can crack the password if you have it and use it somewhere else.
@Mr.D
Do not speak if you cannot improve the silence.
This article is from 2008. Back then TYPO3 didn’t had encrypted passwords. Just for your information.