the database package is coming along very well! We decided to instead of make an entirely new database package, to branch off of an old project which we all used to know as html-db ( which is still named that, but, that was solo me ), so, progress is going good on this!
You put a HTML form on your page with a post request pointing to there site and they store/authenticate passwords.
But they are saying devs can view passwords, so are you guys one way hashing? That shouldn’t be possible with 1 way hashing…
They confirmed they were giving up on allowing devs to see passwords, hashed or not, after I and others pointed out it was a huge security risk
We may still do it, the web side of things is the only difficult part of this huge project, and the only reason why it is huge, is because of the web side of things
May still do what?
allow devs to see passwords
NOOO don’t allow devs to see pwds
ofc, there will be security if we do implement this, most likely an off-site master key that a generator must make
Hashed or not?
What purpose would it serve to allow developers to view passwords? It pointlessly weakens the cryptographic model.
Use bcrypt. That should be the end of the story.
depends
But anyone could get into the devs account by guessing their password! It should be against the Glitch ToS to not hash passwords, it’s really simple and not doing it is just a security risk
Yes @RA80533. bcrypt is really easy and you can hash the password by just doing about a line of code that you can just copy from the npm readme! Simples!
Remember: when you deal with encryption, you’re dealing with munitions according to U.S. law (see this thread). You should respect its implementation accordingly.
Remember this though:
I suggest that someone from @glitch_support closes this, if the OP want to store plain-text passwords go ahead, I’m not using this, I doubt others will too.
=/, it is web/server only/client only, the thing is universal, this part will only be for web…
This is a major security vulnerability and should be shutdown. Projects that are openly storing plaintext passwords are a bad idea.
It won’t be openly storing them, lordy, is it this hard to get a point through to some of y’all?
we don’t have all the plans figured out yet, but YES, they will be encrypted, NO they will not be easy to acces, AND NO! openly storing anything sensitive is a dumb af idea, I’m not dumb to let it slide by in any project i’m involved in