[DiabloD3]

The writeup of this is rather suspect. What happened is someone guessed slush's Linode account password, and used the root password reset feature from there.

What I don't understand is why does such a feature exist, why doesn't Linode require >16 character length passwords that are sufficiently random (or eschew password auth altogether), and why does slush (apparently from what I can tell) allow password auth for ssh AND allow root to login on ssh.

[darklajid]

Yes, the writing is a little incoherent. Maybe that's the reason that caused you to miss that, in fact, someone used Linode's 'Customer Service Representative' interface to get access to his account.

Don't stop reading and comment with 'I call bullshit'.

[doublec]

The response from linode says that it was a "a customer support interface" that was used to access the account. This seems to indicate an error in their support system rather than someone guessing slush's password.

[pavel_lishin]

> why doesn't Linode require >16 character length passwords that are sufficiently random

Well, depending on how they got Marek's password, it might not matter. If someone went to his apartment and saw it written down on a post-it...

[megamark16]

If they had guessed his password then their login would have shown up in the activity logs for his account, which he indicated was not the case.