The Web site now has authentication. Naturally the passwords are encrypted.
Currently login is useless for you because I don't offer any way of signing up, but it will be useful for me. And in the long run, it will help when I start adding administrative features. However, my deadline to flying to the US approaches (Sunday) and I doubt I'll have much hacking time for a couple of weeks.
If you are the only one who has a login currently and the site is on your internal network and you only access it from your internal network, the rest of my post is premature.
However, if you connect to it over the internet, having the password encrypted locally does very little good, as there is *more* danger of passwords being captured as they traverse the Internet.
So long as the rest of the site is secure, local storage of passwords is a fairly moot point. I feel certain that the primary reason that was the major focus of so many of the people responding to the perl monks breach is that it's an absolutely trivial thing to implement - it shouldn't be considered the 'best practice', but rather the 'only practice'.
However, likewise, the submit on a login form should go over https. This also should be an 'only practice', IMO. (Yes, I know - last I checked, use.perl.org has the same problem. However, since you're developing this site right now, it's the time to complain about it now.)
Re:Missing the point
Ovid on 2009-08-22T19:06:23
I absolutely agree that it should only go over https. Right now, it's an insecure password for development only. I wouldn't open this up if I thought it was insecure.
