Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> "It's probably safe to assume that 'there were occurrances of Lish passwords in clear text...' is a euphemism for "we stored all Lish passwords in cleartext."

This borders on libelous, in my opinion. If all Lish passwords had been stored in the clear, I think they would have said that. They've been pretty specific in the rest of the update.

They say they have "invalidated all affected Lish passwords effective immediately". I just logged in to Lish via SSH using the new password I had set on Friday, so I guess mine at least wasn't one of the "occurrences"....

Lish passwords in the clear might have been in support tickets stored in the same database, or chat logs.

Also: "It's very likely that people reused their root login passwords as their Lish passwords..."

Really? I guess it's never a good idea to doubt people's capacity for stupidity, but this seems very obviously a bad idea. Hopefully this isn't so common as to be "very likely".



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: