[Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy

Darren Duncan darren at darrenduncan.net
Mon Oct 27 22:51:49 GMT 2008


Zbigniew Lukasiak wrote:
>     * Your passwords are stored in the 'password' field in your users
> table and are not encrypted.

This is always a bad idea.  If someone ever gets direct database access, they 
now know each user's mindset as to how they choose passwords, and can 
subsequently login to the application as them or target them in a wider context 
where they may have used similar passwords elsewhere.  You always want passwords 
in a one-way hash, and if users forget their password, you don't tell it to 
them, but you have them make a new one.  Also reminding users of their password 
in an email message is also a bad idea. -- Darren Duncan



More information about the Catalyst mailing list