Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re: It's been ten years ...

by haj (Chaplain)
on Jul 29, 2019 at 19:24 UTC ( #11103593=note: print w/replies, xml ) Need Help??


in reply to It's been ten years ...

This is indeed scary, and should not be too difficult to fix.

I volunteer to look into that. Where's the code repository for the PerlMonks software?

Replies are listed 'Best First'.
Re^2: It's been ten years ...
by holli (Abbot) on Jul 29, 2019 at 20:51 UTC
    There is no codebase. There only is a database that has code in it.


    holli

    You can lead your users to water, but alas, you cannot drown them.
Re^2: It's been ten years ...
by LanX (Archbishop) on Jul 29, 2019 at 21:08 UTC
    We've discussed it already so many times.

    Perlmonks can't mail you the password if it's one-way encrypted.

    Best is to stick with a randomly generated password and to store it into your browser or password manager.

    When forgotten get it mailed to you.

    > and should not be too difficult to fix.

    This would imply adjusting the What's my password? mechanism too.

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery FootballPerl is like chess, only without the dice

    PS: And no, in my private scratch pad you'd neither find my credit card nor my email passwords nor the number of the Russian officer who's handling agent orange in the white house.

    I keep such information exclusively to myself and twitter.

      Lanx writes:
      This would imply adjusting the What's my password? mechanism too.

      Yes, of course. You can improve easily by creating a fresh random password and mailing that to the user, and then store it encrypted. After all, they forgot their password, right?

      This is still bad security practice, though, as plain text email isn't actually secure. With a bit more effort you can get a decent self-service password reset function. This has been done before, it isn't rocket surgery.

        Yes, of course. You can improve easily by creating a fresh random password and mailing that to the user, and then store it encrypted.
        No, please no!

        (I know many websites do this.)
        So everone claiming "I am user X and I forgot my password" can now reset my password, and I am locked out and have to check my email.

        The minimum password procedure should be: store an intermediate token, send the user a link with that token and then let them enter their new password. And that means, we need a new endpoint *and* a new database table probably. So it's not that trivial.
        > With a bit more effort you can get a decent self-service password reset function. This has been done before, it isn't rocket surgery.

        I know, "a decent self-service password reset function" was my first task at my current job.

        Good luck integrating it here!

        Cheers Rolf
        (addicted to the Perl Programming Language :)
        Wikisyntax for the Monastery FootballPerl is like chess, only without the dice

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://11103593]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (6)
As of 2020-04-08 16:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    The most amusing oxymoron is:
















    Results (45 votes). Check out past polls.

    Notices?