Hello, --- Mike Masin <[EMAIL PROTECTED]> wrote: > Great job. It has many of the 'would be nice' features > that were discussed in the past. Thanks!
It looks good, however it appears security of passwords is still a secondary consideration for this system: 1) non-SSL log-in 2) identical username/password to the RWI system, and it seems that those usernames/passwords are "synched" daily with the other system. #2 means that the username/passwords are likely being stored in plain-text on at least *2* distinct systems now, thus creating more of a risk of hacking, etc. It'd be better to have *1* unified login system somewhere, and have the password stored only there as a MD5 hash or something. Look at how Yahoo does it, for instance -- all logins take place via https://login.yahoo.com/ or something (i.e. a single subdomains). Having multiple systems where the passwords are stored in plaintext means one is only as secure as the *weakest* of those systems. The RRC didn't have much that was really "private" or "secret", and it makes me wonder why the username/password is there at all, or at least allow use of a second username/password combo that is unrelated to our main one used in the RWI, which can be used to hijack all our domains. Sincerely, George Kirikos http://www.kirikos.com/
