<p>If the passwords are vulnerable even after upgrading to a version that knows how to has the passwords, then the project doesn't take security very seriously, IMNSHO, and should not be allowed to be used. It is trivial to upgrade from plaintext to hashed and salted. </p>
<p>In any other situation (meaning, involving a password database that is already hashed, the proper solutions is to migrate users at their next login, because that's the only way to upgrade from one has type to another. It is the only time that the plaintext of the password should be available in a password-based system. </p>
<div class="gmail_quote">On Jul 12, 2012 4:12 PM, "Ron Frazier (ALE)" <<a href="mailto:atllinuxenthinfo@techstarship.com">atllinuxenthinfo@techstarship.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div text="#000000" bgcolor="#ffffff">
Hi all,<br>
<br>
FWIW, here are some miscellaneous security items that you might want to
be aware of that I heard on the latest Security Now podcast. I haven't
had any chance to investigate any of these in detail.<br>
<br>
* If you're a lastpass user, there is a setting in the options which
allows you to turn on iterative password hashing. This helps prevent
brute force attacks on your password. Recommended setting is 512 I
believe. Apparently, for some accounts, it is not turned on by default.<br>
<br>
* If you're forced to use Windows, a vulnerability in Vista and Windows
7 sidebars and gadgets has been discovered which potentially allows an
attacker to do "remote code execution". In other words, they can take
over your machine. Microsoft has released a FixIt button on their
website to totally disable sidebars and gadgets.<br>
<br>
* The following applies if you use the Plesk website management
system. This is a quote from the following website:<br>
<br>
<a href="http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html" target="_blank">http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html</a><br>
<br>
"The first issue is that old versions of Plesk store passwords in <em><strong>clear
text</strong></em> (yes, clear text in 2012). The second is a remote
SQL vulnerability that has been found in old versions of Plesk allowing
attackers to exploit those passwords."<br>
<br>
As I understand it, even if your Plesk installation has been updated,
the passwords in the database are vulnerable until they are changed.<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
<pre cols="72">--
(To whom it may concern. My email address has changed. Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address. Please send all personal correspondence to the new address.)
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new email messages very quickly.)
Ron Frazier
<a href="tel:770-205-9422" value="+17702059422" target="_blank">770-205-9422</a> (O) Leave a message.
linuxdude AT <a href="http://techstarship.com" target="_blank">techstarship.com</a>
</pre>
</div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div>