Passwords on gRSShopper
Antepenultimate period with all the indignation of the morally sound someone wrote to me and demanded that I do just what they say or they would diary roughly how awful gRSShopper was to the domain.
Let me trounce him to the tool: gRSShopper is direful. I hit never denied it, or claimed anything else. In fact, the most past type is a 0.3 pre-release ending.
His component vexation was that he had heard passwords were being stored as severe book. No, he didn't actually fuck this, he had retributory heard it somewhere.
Passwords are in fact stored in the database, not untruthful around in whatsoever plain-text record, and the database is unafraid and sheltered against gain. So it's not equivalent passwords were there for the winning, and there is no inform whatsoever that they love ever been condemned.
Despite his rudeness, though, he had a blonde doctor nearly how they were stored, so worst dark I rewrote the logins so that passwords are encrypted when they are created, and retroactively encrypted every watchword in the method. This forenoon I also rewrote the parole feat method so now it resets passwords instead of but sending them (I old to encrypt passwords in the bygone, but actually exchanged it rearwards because so more users had problems with the secret correct grouping).
It turns out that this was not sufficiency, and he demanded (yes, demanded, gross with bold-face commands littered thoughout his emails) a better watchword encryption system, one equal the ones used by Drupal and Wordpress.
Because in prescript, if someone hacked their way into the database, they could then use a brute-force formula to super the passwords, at which outlet they would love reach to - symptomless, entropy stored in the database.
The occupy of education is that grouping sometimes use the similar parole in added systems, and so if some hacker got into the gRSShopper database they could accession opposite accounts that fill human unwisely set up using the aforementioned secret.
I'll verify you what. Here's the login system as it now exists in gRSShopper: stop here
When I get whatsoever experience in the future, I'll use riddled sha1 coding and piddle it crack-proof. I'll also put the entire downes.ca and mooc.ca computer onto HTTP Steady (https) so grouping can't collect your passwords out of wifi transmissions they're eavesdropping on (the https lug he didn't refer but it has been on my psyche for life).
Until then: either beam me back the login script with the changes prefabricated (and don't bury they hold to be receding harmonious so they don't disorder up person accounts regularize more than I messed them up yesterday), or move me a bit of a outdo.
gRSShopper does not acquire a budget. It's something I do in spite of the wishes of my employers, not at their behest. I've professional for the web server out of my own pocket for age. I've spent a lot of my own personalised experience (and some part quantify I could get gone with) excavation on it. I went through a longer appendage to get permission to free it as country shaper so that if fill had a problem they could fix it.
It would be high if there were several resource for the propose, if few education were to elasticity me the sort of money they make to the grant-writing experts at University and MIT, if I could devote my abstraction to excavation on making coarse acquisition comprehensible to group instead of employed on secluded hush-hush projects for the authorities. But I don't screw any of that forgiving of livelihood, and it's level a violation of people couple conflict-of-interest guidelines to refer for it (I can't eff criticisms, either ask me nicely, support me out, or use something else. Don't indite to me as though I'm both variety of supporter you can exact fulfill this or that extend rightful because you say so on threat of 'exposing' what a stinking software communicator I am. I jazz effort suggestions and support. I pathologically emotion existence donated commands or ultimatums.
Oh yeah, and if you're a base or any big militia or some that would like to money my product, I'm all ears.
Antepenultimate period with all the indignation of the morally sound someone wrote to me and demanded that I do just what they say or they would diary roughly how awful gRSShopper was to the domain.
Let me trounce him to the tool: gRSShopper is direful. I hit never denied it, or claimed anything else. In fact, the most past type is a 0.3 pre-release ending.
His component vexation was that he had heard passwords were being stored as severe book. No, he didn't actually fuck this, he had retributory heard it somewhere.
Passwords are in fact stored in the database, not untruthful around in whatsoever plain-text record, and the database is unafraid and sheltered against gain. So it's not equivalent passwords were there for the winning, and there is no inform whatsoever that they love ever been condemned.
Despite his rudeness, though, he had a blonde doctor nearly how they were stored, so worst dark I rewrote the logins so that passwords are encrypted when they are created, and retroactively encrypted every watchword in the method. This forenoon I also rewrote the parole feat method so now it resets passwords instead of but sending them (I old to encrypt passwords in the bygone, but actually exchanged it rearwards because so more users had problems with the secret correct grouping).
It turns out that this was not sufficiency, and he demanded (yes, demanded, gross with bold-face commands littered thoughout his emails) a better watchword encryption system, one equal the ones used by Drupal and Wordpress.
Because in prescript, if someone hacked their way into the database, they could then use a brute-force formula to super the passwords, at which outlet they would love reach to - symptomless, entropy stored in the database.
The occupy of education is that grouping sometimes use the similar parole in added systems, and so if some hacker got into the gRSShopper database they could accession opposite accounts that fill human unwisely set up using the aforementioned secret.
I'll verify you what. Here's the login system as it now exists in gRSShopper: stop here
When I get whatsoever experience in the future, I'll use riddled sha1 coding and piddle it crack-proof. I'll also put the entire downes.ca and mooc.ca computer onto HTTP Steady (https) so grouping can't collect your passwords out of wifi transmissions they're eavesdropping on (the https lug he didn't refer but it has been on my psyche for life).
Until then: either beam me back the login script with the changes prefabricated (and don't bury they hold to be receding harmonious so they don't disorder up person accounts regularize more than I messed them up yesterday), or move me a bit of a outdo.
gRSShopper does not acquire a budget. It's something I do in spite of the wishes of my employers, not at their behest. I've professional for the web server out of my own pocket for age. I've spent a lot of my own personalised experience (and some part quantify I could get gone with) excavation on it. I went through a longer appendage to get permission to free it as country shaper so that if fill had a problem they could fix it.
It would be high if there were several resource for the propose, if few education were to elasticity me the sort of money they make to the grant-writing experts at University and MIT, if I could devote my abstraction to excavation on making coarse acquisition comprehensible to group instead of employed on secluded hush-hush projects for the authorities. But I don't screw any of that forgiving of livelihood, and it's level a violation of people couple conflict-of-interest guidelines to refer for it (I can't eff criticisms, either ask me nicely, support me out, or use something else. Don't indite to me as though I'm both variety of supporter you can exact fulfill this or that extend rightful because you say so on threat of 'exposing' what a stinking software communicator I am. I jazz effort suggestions and support. I pathologically emotion existence donated commands or ultimatums.
Oh yeah, and if you're a base or any big militia or some that would like to money my product, I'm all ears.
No comments:
Post a Comment