On 10/16/11 4:41 PM, dimesio wrote:
jjmckenzie wrote:
if your Forum logon, for instance, was cracked, so was your Bugzilla and Applications Database.
Do you seriously believe that the fact that people had to create separate accounts for the various parts of WineHQ stopped anyone from using the same login and password on all of them?
No. I don't believe this for one moment. One of the tricks of breaking
security is to rely on people being lazy. The process of adding a
'single' sign-on was addressed and the ability of compromise was one of
the reasons it was rejected. However, there is nothing that prevents a
user on the Forums from using the same login information for all four
sites, which leaves the accounts in the same situation. I do recommend
that different passwords be used for the different sites, but that is up
to the individual user to assess, evaluate and to accept the risk. In
this case, the database was compromised, and user information should be
assumed to be leaked (although Jeremy says it was not, and I have strong
faith in his abilities, crackers are very careful to cover their tracks
if at all possible.)
Summary: If you have accounts on the four WineHQ sites, use different
passwords. I tend to use 256 bit or higher, easy to remember, ones.
Pass-phrases are the best as only you know what was changed and why.
James
