a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by mk
mk  ·  4348 days ago  ·  link  ·    ·  parent  ·  post: Hubski with ssl?

    While we're talking about security: you really ought to require that people re-enter their existing password when changing their password.

Good point. I'll implement that as well.

    Finally: I assume that you're hashing the password on the database side, and not just storing them plaintext.

Yes, they are hashed.

    You're doing great work, mk: please don't think I'm nickpicking! Security's important, and it's worth getting right.

Thanks. I have no problem being cautious, or sensitive to privacy. In a place where we want people to speak freely, it doesn't hurt.

I'll follow up.





ll  ·  4347 days ago  ·  link  ·  

Also don't forget to salt the hashes. A salted hash is a happy hash ^_^

thundara  ·  4346 days ago  ·  link  ·  

Or better yet, use bcrypt, PBKDF2, or scrypt. Salted hashes slow a cracker down by a day or two, but an actual work factor turns that into years or decades. I'm not too sure what has been implemented (well) in arc, so that may or may not be the deciding factor on the matter, but any of the three is better than a simple salt.