[Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
Darren Duncan
darren at darrenduncan.net
Mon Oct 27 22:51:49 GMT 2008
Zbigniew Lukasiak wrote:
> * Your passwords are stored in the 'password' field in your users
> table and are not encrypted.
This is always a bad idea. If someone ever gets direct database access, they
now know each user's mindset as to how they choose passwords, and can
subsequently login to the application as them or target them in a wider context
where they may have used similar passwords elsewhere. You always want passwords
in a one-way hash, and if users forget their password, you don't tell it to
them, but you have them make a new one. Also reminding users of their password
in an email message is also a bad idea. -- Darren Duncan
More information about the Catalyst
mailing list