Hi Tomas, > I personally have bad experience with people storing passwords in plain > text. Technically it might not be an issue (after all I think the wiki > doesn't need passwords at all) but it is certainly one of those warning
Thanks as ever for your input, but your argumentation is quite inconsistent. While you stress the rather cosmetic issue of whether passwords are stored (non)encrypted in the db, you suggest using no passwords at all for the wiki. This is a very bad idea. If you take a closer look at the wiki, you see that it uses a role/permission system. We have admin users who can do anything, and member users with limited rights. As anybody in the world who finds his way to this wiki can automatically become a member, he could easily obtain administrative rights if there were no passwords, with the result that he could completely manipulate all data, including the editing history. > signs telling me "get ready for trouble with these guys" > (http://i.imgur.com/xZW77.png ). And this issue pops up all the time, > e.g. today on reddit > http://www.reddit.com/r/programming/comments/dwkzr/is_it_industry_common_practice_to_send_plaintext/ Different issues again. I objected in one of the first posts to this thread to sending passwords in unencrypted mails. But here we were talking about storing plain text passwords in a protected database, which would get compromised only if the whole database got into evil hands, which in turn has to be avoided for more important reasons than just the passwords (in the general case). Cheers, - Alex -- UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe
