Hi Tomas,

> I personally have bad experience with people storing passwords in plain
> text.  Technically it might not be an issue (after all I think the wiki
> doesn't need passwords at all) but it is certainly one of those warning

Thanks as ever for your input, but your argumentation is quite

While you stress the rather cosmetic issue of whether passwords are
stored (non)encrypted in the db, you suggest using no passwords at all
for the wiki.

This is a very bad idea. If you take a closer look at the wiki, you see
that it uses a role/permission system. We have admin users who can do
anything, and member users with limited rights. As anybody in the world
who finds his way to this wiki can automatically become a member, he
could easily obtain administrative rights if there were no passwords,
with the result that he could completely manipulate all data, including
the editing history.

> signs telling me "get ready for trouble with these guys"
> (http://i.imgur.com/xZW77.png ).  And this issue pops up all the time,
> e.g. today on reddit
> http://www.reddit.com/r/programming/comments/dwkzr/is_it_industry_common_practice_to_send_plaintext/

Different issues again. I objected in one of the first posts to this
thread to sending passwords in unencrypted mails. But here we were
talking about storing plain text passwords in a protected database,
which would get compromised only if the whole database got into evil
hands, which in turn has to be avoided for more important reasons than
just the passwords (in the general case).

- Alex
UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to