[Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
Jason Kuri
jayk at ion0.com
Tue Oct 28 00:13:41 GMT 2008
I made the default 'clear', as the tutorial uses 'clear' and it is the
least likely to cause failure of auth for those just coming to
catalyst / going through the tutorials. The password_type config
option allows changing it to something more reasonable for production
use.
Matt and I discussed and he made the point that this module will
probably get a lot of production use and it's default should probably
at least attempt to prevent newbies from making bad design choices...
or at least make it a bit more difficult. I must agree.
As such, an updated module is on it's way to CPAN - which uses
'crypted' as the default. The documentation has been adjusted to
reflect this. You can still use a password_type of 'clear' by
setting it explicitly, but you _will_ get warned in your logs that it
is an insecure password storage mechanism.
Jay
On Oct 27, 2008, at 5:18 PM, Matt S Trout wrote:
> On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote:
>> Zbigniew Lukasiak wrote:
>>> * Your passwords are stored in the 'password' field in your users
>>> table and are not encrypted.
>>
>> This is always a bad idea. If someone ever gets direct database
>> access,
>> they now know each user's mindset as to how they choose passwords
>
> This is the catalyst list, not the "stating the fucking obvious" list.
>
> --
> Matt S Trout Need help with your Catalyst or DBIx::Class
> project?
> Technical Director http://www.shadowcat.co.uk/catalyst/
> Shadowcat Systems Ltd. Want a managed development or deployment
> platform?
> http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
More information about the Catalyst
mailing list