was the "Please reset your npm registry account" legit?

[mgutz]

I received an email asking me to reset my account. Is this legit? No mention here.

[Joshua Holbrook]

I also received this email. I'm guessing it's legit.

Exhibit A: All of the links are legit.

Exhibit B: https://twitter.com/#!/izs/status/177564294899183616

It sure would be nice, though, if Isaac confirmed.

--Josh

On Wed, Mar 7, 2012 at 8:26 PM, mgutz <mario.l....@gmail.com> wrote:
> I received an email asking me to reset my account. Is this legit? No mention
> here.
>

> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en

--
Joshua Holbrook
Engineer
Nodejitsu Inc.
jo...@nodejitsu.com

[Brandon Benvie]

And the next question is: how do you even reset your password? Because I couldn't locate that nugget of information. Also I didn't get that email at my registered npm email address.

[mscdex]

On Mar 8, 3:07 am, Brandon Benvie <brandon.ben...@gmail.com> wrote:
> And the next question is: how do you even reset your password? Because I
> couldn't locate that nugget of information. Also I didn't get that email at
> my registered npm email address.

http://admin.npmjs.org/reset

FYI the confirmation email took awhile to get to my inbox.

[Jann Horn]

Am Mittwoch, den 07.03.2012, 20:26 -0800 schrieb mgutz:
> I received an email asking me to reset my account. Is this legit? No
> mention here.

Looks legit - the issue really existed, and it was really fixed.

[dvbportal]

The password hashes and salts of the registry's CouchDB have been compromised. Per default the _users database of CouchDB is not secured. :(

See the following gist for details: https://gist.github.com/2001456

[Jann Horn]

Am Donnerstag, den 08.03.2012, 09:33 -0800 schrieb dvbportal:
> The password hashes and salts of the registry's CouchDB have been
> compromised. Per default the _users database of CouchDB is not secured. :(

WTF? "Have been compromised"? It always was that way, and as long as you
use strong passwords, it's no problem. You're suggesting it was some
kind of attack/mistake/..., but that's not the case. It was "Couch can't
do that? Well, then we can't."

I really don't understand the buzz.

[dvbportal]

I was just explaining why Isaac is recommending to change passwords. At least people were wandering about the email. 

Leaking password hashes is considered a security breach. In this case the user database was unprotected and that was clearly a mistake. That fact that it always was unprotected doesn't make it right.

[Isaac Schlueter]

Yes, it's legit.

There will always be some hubbub and buzz around things like this. I
emailed people directly in an attempt to minimize the publicity for
long enough for the affected users to get a chance to reset their
passwords. Also, I figured that the people actually involved would be
a bit more likely to actually read the details, rather than try to fan
this into a bigger story than it really is.

Not to be dismissive, of course. It's a real cause for concern. But
this is the sort of thing that often ends up with people shouting that
"node is insecure, npm packages are all compromised", etc, etc. It's
not about protecting reputations -- FUD can actually make a real
problem harder to solve properly. Truth and facts are much better.

There will be a blog post early next week, for anyone who didn't get the email.