
SourceForge attacked, resets 2 million account passwords to protect users - ssclafani
http://thenextweb.com/industry/2011/01/29/sourceforge-attacked-resets-2-million-account-passwords-to-protect-users/
======
bradleyland
I'm not sure how this protects users? SF was already compromised. If someone
gained access to the passwords in their database, they're already out in the
wild. Changing your password now has zero benefit to the user outside of
protecting access to SF itself.

~~~
nodata
> I'm not sure how this protects users? SF was already compromised.

The passwords were _potentially_ compromised. Changing the passwords for their
users means the user accounts won't work with the (potentially) compromised
passwords any more.

> If someone gained access to the passwords in their database, they're already
> out in the wild. Changing your password now has zero benefit to the user
> outside of protecting access to SF itself.

If the user is using one password for all websites that's a separate problem.
This move is to protect SF users' accounts.

~~~
bradleyland
Both of which are protection for SF, not for the user. Personally, I use a
utility called 1Password, which means I don't use the same password for very
many sites. My point is that for those who do use the same password for SF as
well as other sites, this move doesn't protect them. It only protects SF.

In short, I disagree with the wording of the title. This does nothing to
protect users, it only protects SF.

~~~
nodata
What more could they be doing?

~~~
bradleyland
Nothing. The breach is over. And they should force user password changes. I'll
say it again. I'm simply disagreeing with the phrasing of the title painting
this as protecting users.

------
ck2
So the passwords were NOT taken from the DB (should not be in there anyway,
just a hash of them) but rather sniffed over the network itself?

------
ericmsimons
Didn't realize anyone still used SF anymore...everything seems to be on GH
these days :)

~~~
atrain34
"whats a sourceforge?"

... thinking the same thing. github is the new sourceforge.

------
moe
They should just shut it down. SF has been way over its expiry date long
before this incident.

~~~
jackolas
Whats wrong with it? Most projects that use it have used it for ages...

------
albertogh
Since I don't use SF these days, I'm not resetting my password. If they can't
properly protect my password, I'm not giving them a new one.

