DragonGorge wrote:I think we all agree that plain text passwords are not a good idea. And while this is "just a forum", to me it's a matter of practicing what you preach. However, in saying that, I don't really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn't worth the benefit.
Agreed. The real question is, with Don's limited time, what is the level of importance. Between trying to make sure that the site stays up and dealing with getting contest rewards, publishing articles, deleting spam, updating the site, and everything else, what would it be best if it slipped so that some serious time could be spent re-vamping the site to use hashed passwords.
I mean as such, if we're going to do it right, using something simple and salted would be bad, so like SHA1 with a salt would be less optimal than something more sophisticated than that with time built into cracking passwords as well as generating them such as bcrypt.
There's tons of other things that should probably be done, ensure that the linkages between the two systems are using SSL for instance. With that said, I think that if this is important to people, that they write up a synopsis of things that they think should be done to improve the security of the site, research what it would take, and propose doing a project with Don to get it done.
In the end, good resume builder, Don will owe you one, and people who help out with stuff on the site tend to get rewarded.
Just a thought.