Linode Resets Passwords due to exploit
Funny, I actually read this first on Slashdot 2-3 hours after the above blog post.
Really would have expected an Email security notice from Linode on this.
4 Replies
@Dweeber:
Really would have expected an Email security notice from Linode on this.
They are, but publishing a blog post is faster than sending hundreds of thousands of emails. They're doing both at the same time.
Last time they had to do an email blast, they used a third-party mail company and people complained that it looked like a phishing attempt. >_<
However, I think their password reset mechanism has something to be desired. Upon logging in with my old password, I just got a form asking me to enter the new password. That is terribly insecure! I should have been emailed a unique reset URL with an expiring key, to then use to reset my password. As it was, if someone did have my password, all they would have to do is login, change my password, and I'd be locked out!
@mwchase:
However, I think their password reset mechanism has something to be desired. Upon logging in with my old password, I just got a form asking me to enter the new password. That is terribly insecure! I should have been emailed a unique reset URL with an expiring key, to then use to reset my password. As it was, if someone did have my password, all they would have to do is login, change my password, and I'd be locked out!
I agree. This is terribly insecure!!
Shame on Linode.. You guys can do better!