[ic] For review - new Strap template for Interchange 5
Mike Heins
mikeh at endpoint.com
Sat Oct 17 12:27:39 UTC 2015
Quoting Mike Heins (mikeh at endpoint.com):
> Quoting Jon Jensen (jon at endpoint.com):
> > On Sat, 17 Oct 2015, Peter wrote:
> >
> > >1. Customer and affiliate passwords should be encrypted with
> > >bcrypt, not plain text. I think the time for allowing plain text
> > >storage of passwords is long past and IC is perfectly capable of
> > >using the current recommendation for this which is bcrypt.
> > >
> > >2. Not a strap issue, but admin passwords should also be bcrypt
> > >now, not old crypt.
> > >
> > >To accommodate the above we may need to update KitchenSink to add
> > >the modules needed for bcrypt, I'm not sure if they're in
> > >KitchenSink at the moment or not.
> >
> > Good points, Peter.
> >
> > They're not in either of the bundles now.
> >
> > We need to add:
> >
> > Digest::Bcrypt
> > Crypt::Random
> >
> > I don't think I've seen any trouble installing those with various
> > versions of Perl and other CPAN modules yet. Although Crypt::Random
> > depends on Math::Pari which I vaguely recall being a pain in the
> > distant past.
> >
> > But we don't have any other strong, modern password hashing options
> > in Interchange right now, so it seems reasonable to make bcrypt the
> > default and include the needed modules.
> >
> > >There may be a case for changing Bundle::Interchange,
> >
> > I think so.
> >
> > Mike, what do you think?
>
> I think it's done! V1.11 is up in CPAN.
And in Bundle-Interchange-1.07 too.
--
Mike Heins
End Point -- Expert Internet Consulting http://www.endpoint.com/
phone +1.765.253.4194 <mikeh at endpoint.com>
{((>:o}~ <<<<Oh look!!! An idolatrous image of the prophet!!! Surely
we must now avenge this blasphemy by burning down the world!!!
More information about the interchange-users
mailing list