[ic] For review - new Strap template for Interchange 5
Mike Heins
mikeh at endpoint.com
Sat Oct 17 12:18:32 UTC 2015
Quoting Jon Jensen (jon at endpoint.com):
> On Sat, 17 Oct 2015, Peter wrote:
>
> >1. Customer and affiliate passwords should be encrypted with
> >bcrypt, not plain text. I think the time for allowing plain text
> >storage of passwords is long past and IC is perfectly capable of
> >using the current recommendation for this which is bcrypt.
> >
> >2. Not a strap issue, but admin passwords should also be bcrypt
> >now, not old crypt.
> >
> >To accommodate the above we may need to update KitchenSink to add
> >the modules needed for bcrypt, I'm not sure if they're in
> >KitchenSink at the moment or not.
>
> Good points, Peter.
>
> They're not in either of the bundles now.
>
> We need to add:
>
> Digest::Bcrypt
> Crypt::Random
>
> I don't think I've seen any trouble installing those with various
> versions of Perl and other CPAN modules yet. Although Crypt::Random
> depends on Math::Pari which I vaguely recall being a pain in the
> distant past.
>
> But we don't have any other strong, modern password hashing options
> in Interchange right now, so it seems reasonable to make bcrypt the
> default and include the needed modules.
>
> >There may be a case for changing Bundle::Interchange,
>
> I think so.
>
> Mike, what do you think?
I think it's done! V1.11 is up in CPAN.
--
Mike Heins
End Point -- Expert Internet Consulting http://www.endpoint.com/
phone +1.765.253.4194 <mikeh at endpoint.com>
There's nothing sweeter than life nor more precious than time.
-- Barney
More information about the interchange-users
mailing list