Zbigniew Lukasiak wrote:
* Your passwords are stored in the 'password' field in your users
table and are not encrypted.
This is always a bad idea. If someone ever gets direct database access, they
now know each user's mindset as to how they choose passwords, and can
subsequently login to the application as them or target them in a wider context
where they may have used similar passwords elsewhere. You always want passwords
in a one-way hash, and if users forget their password, you don't tell it to
them, but you have them make a new one. Also reminding users of their password
in an email message is also a bad idea. -- Darren Duncan
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
