[ic] For review - new Strap template for Interchange 5
Stefan Hornburg (Racke)
racke at linuxia.de
Sun Oct 18 12:06:26 UTC 2015
On 10/18/2015 02:49 AM, Jon Jensen wrote:
> On Sat, 17 Oct 2015, Josh Lavin wrote:
>
>>> 1. Customer and affiliate passwords should be encrypted with bcrypt, not plain text. I think the time for allowing plain text storage of passwords is long past and IC is perfectly capable of using the current recommendation for this which is bcrypt.
>>
>> I put this on the #interchange channel, but the reason we don't use crypt in Strap at this point, is because of the demo mode. We want to keep plain-text passwords for the demo users, so you can look in the database and see what a user's password is, to login to their account.
>
> That doesn't seem like a compelling reason to me. Much more important to do the right thing by default for real sites, I think. Demos are temporary, but real ecommerce sites are forever. :)
>
> For the demo, can't we just show in plain text what the logins are on the login page itself?
>
> Jon
>
I agree with Jon as well ... strong crypt should be the default, a lot of Interchange
projects started from the demos.
Regards
Racke
--
Perl and Dancer Development
Visit our Perl::Dancer conference 2015.
More information on https://www.perl.dance.
More information about the interchange-users
mailing list