Hi, I follow the development of Insoshi from Github as I find it interesting how other people accomplish things in Rails. I'm generally impressed by the code structure and techniques but I believe the way passwords are stored is a grave problem.
As far as I can tell with the current password encryption system, if the host server is compromised (specifically, an attacker accesses the rails directory) every single password is immediately available. Admittedly you are going to have lots of other problems if that happens but even if the attacker adds code to transmit entered passwords the damage would be a fraction of releasing every password. Sending passwords in plaintext back over e-mail is also a bad practice as it is likely to significantly decrease the time required for an attacker to compromise all of a user's accounts given the common practice of password reuse. Please consider using salted hashes or something like the ruby-bcrypt module. I am particularly concerned because I expect there are many other programmers like myself who look at the Insoshi project for ideas and guidance and they take away this dangerous method. At least a mention of the significant caveat in the documentation would go a long way. Best regards, Andrew --~--~---------~--~----~------------~-------~--~----~ Insoshi developer site: http://dogfood.insoshi.com/ Insoshi documentation: http://docs.insoshi.com/ You received this message because you are subscribed to the Google Groups "Insoshi" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/insoshi?hl=en -~----------~----~----~----~------~----~------~--~---
