10 comments

[ 2.6 ms ] story [ 33.1 ms ] thread
> your password will be encrypted using a modern secure algorithm, which is currently PHP’s password_hash function, which uses Blowfish or Extended DES and can change over time so we don’t repeat any past mistakes.

Not sure if the OSNews folks are reading this, but I'd definitely not consider either Blowfish or DES to be secure password storage methods. Surely there's some library that'll do bcrypt/scrypt/etc in PHP?

Also, it seems pretty bold to push users with a call-to-action around volunteering / sponsoring in the same post as they alert users to a breach.

bcrypt uses the Blowfish cipher.

http://php.net/manual/en/function.password-hash.php:

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.

> Also, it seems pretty bold to push users with a call-to-action around volunteering / sponsoring in the same post as they alert users to a breach.

I understand your point, but I think tone and context matters - they're owning up to the fact that like, "Look, we screwed up, we didn't do a good job here, and hey, we realized that we don't have the resources to do a good job at the moment, so we want to fix that".

It would be different/inappropriate coming from a purely commercial service, but a site that uses a lot of volunteeer/community effort should be able to acknowledge mistakes while asking for help.

(comment deleted)
> Also, it seems pretty bold to push users with a call-to-action around volunteering / sponsoring in the same post as they alert users to a breach.

I think that if OSNews were a company selling products you would be correct. However, the "product" at OSNews kinda IS the community.

(comment deleted)
OSNews was one of my favorite sites when Eugenia Loli was managing editor. My perception at the time was she had a true interest in all aspects of computing and posted stories without over-editorializing making it a great resource for all of the upstart OSes at the time - ReactOS, Linux, BSDs, Darwin, QNX, BeOS, Maemo, SkyOS, MorphOS, Plan 9, etc. There seemed to be multiple stories a day, singularly focused on OS topics, and not general software as it later transitioned to.

I tried to stick around when Thom took over, but the stories became much more opinionated, the content less diverse, and the community more hostile to ideas not shared by the most vocal of commenters.

I've only visited a few times a year since then, but I'm always glad it's there, though it has never captured the spirit of all those years ago.

>but the stories became much more opinionated

same here, OSNews become Thom's personal blog, and I left the site permanetly after he went full SJW in the gamergate days.

strange how things change, not many websites stay the same, even arstechnica which was one of the best became more and more mainstream and spammy
> the stories became much more opinionated

Opinionated with lots of personal political commentary and activism. I really just wanted "OS News" and not be pulled into emotional political drama at a tech site. I can get that in a gazillion other places.

I tried to delete my account about a year ago but there was no option I could see. A couple of weeks ago, I tried to sign in and noticed (I should have noticed earlier but I rarely visited) that the site was unsecured http (even at the login level).

Oh well... another site hacked with my fake & useless credentials.