<html>
<body>
<font size=3>At 07:13 PM 10/27/2008, Jason Kuri wrote:<br>
<blockquote type=cite class=cite cite="">I made the default 'clear', as
the tutorial uses 'clear' and it is the<br>
least likely to cause failure of auth for those just coming to<br>
catalyst / going through the tutorials. The password_type
config<br>
option allows changing it to something more reasonable for
production<br>
use.<br><br>
Matt and I discussed and he made the point that this module will<br>
probably get a lot of production use and it's default should
probably<br>
at least attempt to prevent newbies from making bad design
choices...<br>
or at least make it a bit more difficult. I must
agree.<br><br>
As such, an updated module is on it's way to CPAN - which uses<br>
'crypted' as the default. The documentation has been adjusted
to<br>
reflect this. You can still use a password_type of 'clear'
by<br>
setting it explicitly, but you _will_ get warned in your logs that
it<br>
is an insecure password storage mechanism.</font></blockquote><br>
(There's always a dissenter.)<br><br>
If I explicitly override the default, by explicitly requesting 'clear',
because my requirements explicitly need this ability, then I must change
the code to get rid of the warning? Ahh, but it's for the 'simple',
who must be guided, and can't be bothered to read the warnings in the
text so bonk'em repeatedly in the logs till they mind what you say.
Which is to explicitly not use the feature which you've explicitly
provided? (sigh)<br><br>
How about adding 'clear_please_please' ?<br><br>
(Just because I like simple doesn't mean I _am_ 'simple' - and I really
do appreciate the simplicity enablers, really)<br><br>
<blockquote type=cite class=cite cite=""><font size=3>Jay<br><br>
<br>
On Oct 27, 2008, at 5:18 PM, Matt S Trout wrote:<br><br>
<blockquote type=cite class=cite cite="">On Mon, Oct 27, 2008 at
03:51:49PM -0700, Darren Duncan wrote:<br>
<blockquote type=cite class=cite cite="">Zbigniew Lukasiak wrote:<br>
<blockquote type=cite class=cite cite=""> * Your passwords are
stored in the 'password' field in your users<br>
table and are not encrypted.</blockquote><br>
This is always a bad idea. If someone ever gets direct
database<br>
access,<br>
they now know each user's mindset as to how they choose
passwords</blockquote><br>
This is the catalyst list, not the "stating the fucking
obvious" list.<br><br>
--<br>
Matt S Trout
Need help with your Catalyst or DBIx::Class<br>
project?<br>
Technical
Director
<a href="http://www.shadowcat.co.uk/catalyst/" eudora="autourl">
http://www.shadowcat.co.uk/catalyst/</a><br>
Shadowcat Systems Ltd. Want a managed development or
deployment<br>
platform?<br>
<a href="http://chainsawblues.vox.com/%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0" eudora="autourl">
http://chainsawblues.vox.com/
</a>
<a href="http://www.shadowcat.co.uk/servers/" eudora="autourl">
http://www.shadowcat.co.uk/servers/</a></font></blockquote></blockquote>
</body>
</html>