[ic] For review - new Strap template for Interchange 5
Jon Jensen
jon at endpoint.com
Sun Oct 18 00:49:58 UTC 2015
On Sat, 17 Oct 2015, Josh Lavin wrote:
>> 1. Customer and affiliate passwords should be encrypted with bcrypt,
>> not plain text. I think the time for allowing plain text storage of
>> passwords is long past and IC is perfectly capable of using the current
>> recommendation for this which is bcrypt.
>
> I put this on the #interchange channel, but the reason we don't use
> crypt in Strap at this point, is because of the demo mode. We want to
> keep plain-text passwords for the demo users, so you can look in the
> database and see what a user's password is, to login to their account.
That doesn't seem like a compelling reason to me. Much more important to
do the right thing by default for real sites, I think. Demos are
temporary, but real ecommerce sites are forever. :)
For the demo, can't we just show in plain text what the logins are on the
login page itself?
Jon
--
Jon Jensen
End Point Corporation
https://www.endpoint.com/
More information about the interchange-users
mailing list