Well, I hate to add to a flame fest, but that post by Trixy was pretty much wrong on every point as far as i can tell.
Anyway, on to my real reason for posting. The attacker apparently had access to the DB with all the usernames and (apparently) plain text passwords. Its a pretty fundemental security practice that plain text passwords should never be stored (or even transmitted). It should be pretty simple to store sha1/md5 hashes of the passwords and compare those rather than the plain text passwords. Now maybe all the devs are aware of this and there might be a good reason for not doing this that I'm not aware of, so I guess you can consider it a feature request.
|