[ic] For review - new Strap template for Interchange 5

Jon Jensen jon at endpoint.com
Sat Oct 17 02:43:24 UTC 2015


On Sat, 17 Oct 2015, Peter wrote:

> 1.  Customer and affiliate passwords should be encrypted with bcrypt, 
> not plain text.  I think the time for allowing plain text storage of 
> passwords is long past and IC is perfectly capable of using the current 
> recommendation for this which is bcrypt.
>
> 2.  Not a strap issue, but admin passwords should also be bcrypt now, 
> not old crypt.
>
> To accommodate the above we may need to update KitchenSink to add the 
> modules needed for bcrypt, I'm not sure if they're in KitchenSink at the 
> moment or not.

Good points, Peter.

They're not in either of the bundles now.

We need to add:

Digest::Bcrypt
Crypt::Random

I don't think I've seen any trouble installing those with various versions 
of Perl and other CPAN modules yet. Although Crypt::Random depends on 
Math::Pari which I vaguely recall being a pain in the distant past.

But we don't have any other strong, modern password hashing options in 
Interchange right now, so it seems reasonable to make bcrypt the default 
and include the needed modules.

> There may be a case for changing Bundle::Interchange,

I think so.

Mike, what do you think?

Thanks,
Jon


-- 
Jon Jensen
End Point Corporation
https://www.endpoint.com/




More information about the interchange-users mailing list