Good ideas and conversation. No ads, no tracking. Login or Take a Tour!
- While we're talking about security: you really ought to require that people re-enter their existing password when changing their password.
Good point. I'll implement that as well.
- Finally: I assume that you're hashing the password on the database side, and not just storing them plaintext.
Yes, they are hashed.
- You're doing great work, mk: please don't think I'm nickpicking! Security's important, and it's worth getting right.
Thanks. I have no problem being cautious, or sensitive to privacy. In a place where we want people to speak freely, it doesn't hurt.
I'll follow up.
–
Or better yet, use bcrypt, PBKDF2, or scrypt. Salted hashes slow a cracker down by a day or two, but an actual work factor turns that into years or decades. I'm not too sure what has been implemented (well) in arc, so that may or may not be the deciding factor on the matter, but any of the three is better than a simple salt.