[ic] For review - new Strap template for Interchange 5

Gert van der Spoel gert at 3edge.com
Sun Oct 18 08:01:31 UTC 2015

>>On Sat, 17 Oct 2015, Josh Lavin wrote:
>>> 1.  Customer and affiliate passwords should be encrypted with bcrypt, 
>>> not plain text.  I think the time for allowing plain text storage of 
>>> passwords is long past and IC is perfectly capable of using the 
>>> current recommendation for this which is bcrypt.
>> I put this on the #interchange channel, but the reason we don't use 
>> crypt in Strap at this point, is because of the demo mode. We want to 
>> keep plain-text passwords for the demo users, so you can look in the 
>> database and see what a user's password is, to login to their account.
> That doesn't seem like a compelling reason to me. Much more important to
do the right thing by default for real sites, I think. Demos are temporary,
but real ecommerce sites are forever. :)
> For the demo, can't we just show in plain text what the logins are on the
login page itself?
> Jon


For the 'old' demo there is a page that directs people to the admin or
customer facing area, including credentials, no?

Also agreeing with Peter about (randomly) switching on/off that demo flag
(not sure if one would ever want to do that, but people are amazing :)) that
that would create scenarios which require all kinds of extra work to keep
things 'in line' ... 

Keeping it simple is a good start.



More information about the interchange-users mailing list