17 Aug
2007
17 Aug
'07
11:03 a.m.
On 8/17/07, Lukas Renggli <renggli(a)iam.unibe.ch> wrote:
Pier never stored passwords as plain text. It is using SHA to
generate a hash number that is then stored in the user object.
Ah good to know. Most things are nice to leave up to the user, but
things like this are so fundamental that it's best if the
default/template is already using good behavior. Nice to hear that
Pier already is. In my mind that is a positive for Pier over many of
these other CMSes.
That's easily doable (see for example
SqueakSource), the only problem
is that a Pier User doesn't include an e-mail address right now.
Lukas
Good point. I was thinking more along the model point of view, something like:
PPaswordManager>>changePassword
self confirmUserWantsChangeElse: [ ^ self ].
passwordHash := self encrypt: (self askPassword).
The model can be displayed by the different schemes, one way would be
to use mail. Or maybe one view would do it directly in the site, not
requiring email.
Maybe we could even use the call:/answer: system to ask the password.
That would probably work whether an HTTP get happens between, or an
email conversation, no? :)