Forum OpenACS Q&A: Re: Password in ClearText

32: Re: Password in ClearText (response to 1)
Posted by Alfred Essa on
The logic here is twisted. There is no such thing as "security by default" in software or, for that matter, in life.  I for one would not trust someone to run a web site who thinks in those terms.

The standard way of encrypting login passwords on a production web site is by using https and ssl. Forget JavaScript and Digest Authentication.

It takes some tiny effort to set up SSL, but it's not that hard. The problem with making it as a "default" is that it creates the illusion of security.

This is indeed one of the problems with Microsoft products. They make it "very easy" for a clueless administrator to setup a "sophisticated" and "secure" web site using defaults, wizards, and point and click. But by masking the underlying complexity, the same clueless administrator can easily end up believing that things are working when they are not. When something breaks and there is no "solution by default" at hand, that's when the folly of the easy path becomes apparent.

When it comes to security, having to use your "grey cells" is not a bad thing.