
Clear text passwords....
... they obviously deserve everything they get.
Splunk, a kind of Google for business technology that boasts it can help reinforce your security, has exposed the details of major customers to hackers following a web site slip up. The passwords of customers on Splunk.com were revealed after some debug information leaked on to its production servers. The debug code exposed …
with that name. Seriously, who saluted that one when they ran it up the flagpole?
And, please, any discussion of "internal Splunk deployment" should be kept in the Netherlands where it belongs.
Then again it might make a good (and it's really about time we had one) generic verb/noun for an enterprise privacy breach. As in: "I don't believe it, BT have splunked my credit card details all over the place!" etc.
A security company keeping passwords of users? And in the clear? I will give them a free piece of invaluable advice. Store a hash of the password, never the password itself. There is absolutely no reason why any system would need to keep the password on file - except to increase the risk of exposing sensitive information or to use it for criminal activity.
And Yahoo. And Bing. And Bebo. And Yell.com is rather silly. Facebook and YouTube are quite silly.
Still, Splunk appears to be a 21st century venture,
http://en.wikipedia.org/wiki/Splunk
rather than a survivor from the late 90s, the era of Internet companies with silly names.
Splunk seems to be a tool to aggregate your own network's log files? Sort of a screen scraper for logs?
I wonder why they didn't go with "Logorrhoea"? Or something like "Logistics"?
...drive me nuts. Especially when the "helpful" website sends me an email saying "thanks for registering, your username is XYZ and your password is ABC". Don't lie- nobody uses a different password for _everything_. I have a range of passwords I treat with different levels of security.
If I'm registering just to download something I probably don't want anyway, I'll set my basic simple password (I may even use a mailinator address too). If it has anything to do with my finances, it's > 12 characters and very complex. There's a few levels in-between, but I get so pissed off when a stupid website exposes one of my mid-level passwords, and I have to change everything else I use it with. Fortunately I'm careful enough with my important passwords that I haven't had an idiot website expose it yet.
To re-iterate what other people have said- it's not just that they shouldn't _send_ me the password, it's that they shouldn't be _able_ to send me my password. They shouldn't know it- it should always be stored as a hash! That way, nobody can just leech all the passwords in the event of a break-in. I'd call it "page one", to be honest.
This article is complete BS.
Splunk takes security so serious that because silly passwords to the splunk.com website (not the product, not the user's website, not the user's data) were seen by *5* splunk internal employees, they recommended that user's change their passwords. Again, this is just the user's account for splunk.com which is just for downloading of the free splunk product, and they were only seen by 5 splunk internal employees. No hackers, no public access, no data loss.
There is NOTHING dangerous about this at all. It's absurd that Splunk is being maligned for doing the right thing.
Just to clear up some misconceptions...
1. Last week, due to some temporary debug code that was promptly removed, we discovered that some splunk.com users’ passwords inadvertently appeared in our internal web server logs.
2. No one’s password was accessible from the internet or the splunk.com web site, and we took immediate steps to purge the confidential information from our internal system logs.
3. Our internal IT team that monitors the Splunk.com site logs are the only employees who would have temporarily been able to see these passwords.
4. This applies only to passwords on our web site, splunk.com, and did not impact anyone’s deployment of Splunk software or the data stored in customers’ instances of Splunk.
5. We proactively reset all potentially affected users’ passwords; cleared all of these users’ active sessions on splunk.com; purged the information from all internal log files; and then notified all affected users, sending them a new temporary password. This was a precaution.
No, we don't normally leave clear text passwords in the logs - web monkeys have been appropriately flogged.
Feel free to ask me any questions or see the updated blog post here: http://blogs.splunk.com/2010/04/24/splunk-com-password-leak/
Thanks,
John Mark Walker
Splunk Community Guy
This post has been deleted by its author