[ic] For review - new Strap template for Interchange 5

Mike Heins mikeh at endpoint.com
Sat Oct 17 12:18:32 UTC 2015


Quoting Jon Jensen (jon at endpoint.com):
> On Sat, 17 Oct 2015, Peter wrote:
> 
> >1.  Customer and affiliate passwords should be encrypted with
> >bcrypt, not plain text.  I think the time for allowing plain text
> >storage of passwords is long past and IC is perfectly capable of
> >using the current recommendation for this which is bcrypt.
> >
> >2.  Not a strap issue, but admin passwords should also be bcrypt
> >now, not old crypt.
> >
> >To accommodate the above we may need to update KitchenSink to add
> >the modules needed for bcrypt, I'm not sure if they're in
> >KitchenSink at the moment or not.
> 
> Good points, Peter.
> 
> They're not in either of the bundles now.
> 
> We need to add:
> 
> Digest::Bcrypt
> Crypt::Random
> 
> I don't think I've seen any trouble installing those with various
> versions of Perl and other CPAN modules yet. Although Crypt::Random
> depends on Math::Pari which I vaguely recall being a pain in the
> distant past.
> 
> But we don't have any other strong, modern password hashing options
> in Interchange right now, so it seems reasonable to make bcrypt the
> default and include the needed modules.
> 
> >There may be a case for changing Bundle::Interchange,
> 
> I think so.
> 
> Mike, what do you think?

I think it's done! V1.11 is up in CPAN.

-- 
Mike Heins
End Point -- Expert Internet Consulting    http://www.endpoint.com/
phone +1.765.253.4194  <mikeh at endpoint.com>

There's nothing sweeter than life nor more precious than time.
-- Barney



More information about the interchange-users mailing list