[ic] For review - new Strap template for Interchange 5

Jon Jensen jon at endpoint.com
Sun Oct 18 00:49:58 UTC 2015

On Sat, 17 Oct 2015, Josh Lavin wrote:

>> 1.  Customer and affiliate passwords should be encrypted with bcrypt, 
>> not plain text.  I think the time for allowing plain text storage of 
>> passwords is long past and IC is perfectly capable of using the current 
>> recommendation for this which is bcrypt.
> I put this on the #interchange channel, but the reason we don't use 
> crypt in Strap at this point, is because of the demo mode. We want to 
> keep plain-text passwords for the demo users, so you can look in the 
> database and see what a user's password is, to login to their account.

That doesn't seem like a compelling reason to me. Much more important to 
do the right thing by default for real sites, I think. Demos are 
temporary, but real ecommerce sites are forever. :)

For the demo, can't we just show in plain text what the logins are on the 
login page itself?


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list