[Wine] WineHQ database compromise

[James McKenzie]

On Wed, Oct 12, 2011 at 7:30 AM, doh123 <wineforum-user at winehq.org> wrote:
>
> jwhite wrote:
>>
>> On the other hand, if you use a password that is a dictionary word,
>> or only a trivial distance from a dictionary word, then I would suspect
>> your password would fall to a fairly basic dictionary attack.
>
>
> Regardless of this incident, anyone using such passwords needs to change them anyways, so maybe this can work as a wake up call.
>
> Someone recently broke one of my gmail accounts somehow that was using 7 characters letters and numbers, no words... luckily I don't keep anyone in my online address book except my other accounts, so I just got spammed from my own account and Google disabled my account temporarily due to suspicious activity.  Seems like the days for 15 character complex password requirements are getting here soon.
>
One of my accounts REQUIRES a 15 letter or longer password.  And it
has been that way for two years now.  I highly suggest using a
password of at least 256 bits or higher.

However, if someone were to break into Wine Bugzilla, how hard would
it be to clean up the mess?  I don't know, but I would suggest a close
watch on current and new bug entries until this has been completely
cleaned up and all accounts locked out or have a password changes as
there are accounts that have not been used for a long time.

I also suggest a 60 day lockout.  Any account not used for 60 days
gets locked out with an unlock with security question unlock....

James