[ic] For review - new Strap template for Interchange 5
Gert van der Spoel
gert at 3edge.com
Sun Oct 18 08:01:31 UTC 2015
>>On Sat, 17 Oct 2015, Josh Lavin wrote:
>>> 1. Customer and affiliate passwords should be encrypted with bcrypt,
>>> not plain text. I think the time for allowing plain text storage of
>>> passwords is long past and IC is perfectly capable of using the
>>> current recommendation for this which is bcrypt.
>> I put this on the #interchange channel, but the reason we don't use
>> crypt in Strap at this point, is because of the demo mode. We want to
>> keep plain-text passwords for the demo users, so you can look in the
>> database and see what a user's password is, to login to their account.
> That doesn't seem like a compelling reason to me. Much more important to
do the right thing by default for real sites, I think. Demos are temporary,
but real ecommerce sites are forever. :)
> For the demo, can't we just show in plain text what the logins are on the
login page itself?
For the 'old' demo there is a page that directs people to the admin or
customer facing area, including credentials, no?
Also agreeing with Peter about (randomly) switching on/off that demo flag
(not sure if one would ever want to do that, but people are amazing :)) that
that would create scenarios which require all kinds of extra work to keep
things 'in line' ...
Keeping it simple is a good start.
More information about the interchange-users