[Wine] WineHQ database compromise
Martin Gregorie
martin at gregorie.org
Wed Oct 12 06:40:35 CDT 2011
On Wed, 2011-10-12 at 10:27 +0200, Frédéric Delanoy wrote:
> Maybe the mail should mention to directly change that pwd (or provide
> a one-time pwd you need to change on first login), but then again it's
> plain http, so that doesn't help much.
>
Anybody with half a brain will have done that anyway.
Note that that message contains both the 'user name' AND the plaintext
password, but as others have said, this is unavoidable. Immediately on
receipt of the message, the user should:
- login using that password
- change the password to one of his own choice
- logout
BTW, it would most useful to know more about the type of password that
can be used, in particular:
- maximum and minimum lengths
- what characters are acceptable. A password should be case sensitive
and contain any printable character. Systems that are case agnostic
and accept only the characters a-z0-9 are simply not good enough.
Systems that accept a longer passphrase are good on two counts: a
phrase is often easier to remember and its length makes it harder
to crack.
- if a dictionary is used to ban easily guessable passwords
- if passwords can be re-used - ideally not.
Martin
More information about the wine-users
mailing list