I made the default 'clear', as the tutorial uses 'clear' and it is the
least likely to cause failure of auth for those just coming to
catalyst / going through the tutorials. The password_type config
option allows changing it to something more reasonable for production
use.
Matt and I discussed and he made the point that this module will
probably get a lot of production use and it's default should probably
at least attempt to prevent newbies from making bad design choices...
or at least make it a bit more difficult. I must agree.
As such, an updated module is on it's way to CPAN - which uses
'crypted' as the default. The documentation has been adjusted to
reflect this. You can still use a password_type of 'clear' by
setting it explicitly, but you _will_ get warned in your logs that it
is an insecure password storage mechanism.
Jay
On Oct 27, 2008, at 5:18 PM, Matt S Trout wrote:
On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote:
Zbigniew Lukasiak wrote:
* Your passwords are stored in the 'password' field in your users
table and are not encrypted.
This is always a bad idea. If someone ever gets direct database
access,
they now know each user's mindset as to how they choose passwords
This is the catalyst list, not the "stating the fucking obvious" list.
--
Matt S Trout Need help with your Catalyst or DBIx::Class
project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment
platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
