[Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy

Thomas L. Shinnick tshinnic at io.com
Tue Oct 28 01:35:56 GMT 2008 

At 07:13 PM 10/27/2008, Jason Kuri wrote:
>I made the default 'clear', as the tutorial uses 'clear' and it is the
>least likely to cause failure of auth for those just coming to
>catalyst / going through the tutorials.  The password_type config
>option allows changing it to something more reasonable for production
>use.
>
>Matt and I discussed and he made the point that this module will
>probably get a lot of production use and it's default should probably
>at least attempt to prevent newbies from making bad design choices...
>or at least make it a bit more difficult.   I must agree.
>
>As such, an updated module is on it's way to CPAN - which uses
>'crypted' as the default.  The documentation has been adjusted to
>reflect this.   You can still use a password_type of 'clear' by
>setting it explicitly, but you _will_ get warned in your logs that it
>is an insecure password storage mechanism.

(There's always a dissenter.)

If I explicitly override the default, by explicitly requesting 
'clear', because my requirements explicitly need this ability, then I 
must change the code to get rid of the warning?  Ahh, but it's for 
the 'simple', who must be guided, and can't be bothered to read the 
warnings in the text so bonk'em repeatedly in the logs till they mind 
what you say.  Which is to explicitly not use the feature which 
you've explicitly provided?  (sigh)

How about adding 'clear_please_please' ?

(Just because I like simple doesn't mean I _am_ 'simple' - and I 
really do appreciate the simplicity enablers, really)

>Jay
>
>
>On Oct 27, 2008, at 5:18 PM, Matt S Trout wrote:
>
>>On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote:
>>>Zbigniew Lukasiak wrote:
>>>>   * Your passwords are stored in the 'password' field in your users
>>>>table and are not encrypted.
>>>
>>>This is always a bad idea.  If someone ever gets direct database
>>>access,
>>>they now know each user's mindset as to how they choose passwords
>>
>>This is the catalyst list, not the "stating the fucking obvious" list.
>>
>>--
>>      Matt S Trout       Need help with your Catalyst or DBIx::Class
>>project?
>>   Technical Director                    http://www.shadowcat.co.uk/catalyst/
>>Shadowcat Systems Ltd.  Want a managed development or deployment
>>platform?
>>http://chainsawblues.vox.com/            http://www.shadowcat.co.uk/servers/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20081027/73baccf8/attachment.htm

More information about the Catalyst mailing list