Hi Tomas,

> On the other hand, as far as I remember, the "standard" picolisp way of
> storing passwords in plain text and even sending them to the user
> editing dialog is even worse.

No, this is not the case! The passwords do not go to the GUI, and never
leave the server.

Yes, they are stored in plain text in the DB. This is not a security
problem, because if an aggressor manages to read the DB directly, he got
control anyway.

It would be a matter of changing just two lines to store them in a
hashed form. I decided not to do that for this application. You see the
advantage in the current case: After Javier forgot his password (and
started this thread) I sent him his old password in an encrypted mail.

- Alex
UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to