In episode 120 of the TechSNAP podcast [skip 20 mins in], hosts Chris and Allan were discussing the breach of the Ubuntu Forums last month, when 1.82 million account details were estimated to have been at risk. According to Ars Technica, MD5 hashing was in place with a per-user salt. But whether you’ve got plaintext passwords, unsalted hashes, or single-iteration hashing, it’s time to upgrade. Chris and Allan discussed this issue, noting that when a user logs in, the web application has the plaintext password so that’s the opportunity to store the password using the new algorithm; users who haven’t logged in for a while will just have to wait. Of course, it doesn’t have to be this way, you can be a lot more proactive – and I’m sure Chris and Allan, who were just speaking off the cuff, would realise that too with a moment’s thought. Continue reading →