Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • by tgape (9307) on 2009.08.22 11:35 (#70222) Journal

    If you are the only one who has a login currently and the site is on your internal network and you only access it from your internal network, the rest of my post is premature.

    However, if you connect to it over the internet, having the password encrypted locally does very little good, as there is *more* danger of passwords being captured as they traverse the Internet.

    So long as the rest of the site is secure, local storage of passwords is a fairly moot point.  I feel certain that the primary reason that was the major focus of so many of the people responding to the perl monks breach is that it's an absolutely trivial thing to implement - it shouldn't be considered the 'best practice', but rather the 'only practice'.

    However, likewise, the submit on a login form should go over https.  This also should be an 'only practice', IMO.  (Yes, I know - last I checked, use.perl.org has the same problem.  However, since you're developing this site right now, it's the time to complain about it now.)

    • I absolutely agree that it should only go over https. Right now, it's an insecure password for development only. I wouldn't open this up if I thought it was insecure.