Just tried signing up and I'm in a stuck position.
• I generate very long passwords (50 characters by default) with 1Password. I usually include special characters—the one I used included ',{<' and the asterisk.
• The signup field accepted my password—and the signup email included the password I had provided in cleartext…at least it did up until the '<' (where there were probably another ~20 characters left).
• Neither the password as I used it nor the truncated version that I was sent works to log me in.
Implementing PBKDF2 isn't that hard, even in PHP (http://mark-story.com/posts/view/using-bcrypt-for-passwords-... it took me two days to implement, test, and deploy a migration on Rails (and that's only because I'm a cautious SOB who doesn't want to make a mistake affecting customers and we had two tables to do it against with two different password types). If you're offering this to businesses, you should do everything you can to protect their data—even if you are in beta. POF can get away with storing plaintext passwords, or sending them to customers, but you shouldn't do that.
Hey martin-adams, we are really targeting any sector which wants to communicate the current project status. I've taken in your advice though, as I could describe this better on the landing page.
Looks nice, but do you think there's a business model for something this simple/light?
Unless you were dealing with a project that had dozens or hundreds of users/clients interested in tracking the status, it seems like sending an email would be a lot lower friction.
• I generate very long passwords (50 characters by default) with 1Password. I usually include special characters—the one I used included ',{<' and the asterisk.
• The signup field accepted my password—and the signup email included the password I had provided in cleartext…at least it did up until the '<' (where there were probably another ~20 characters left).
• Neither the password as I used it nor the truncated version that I was sent works to log me in.
Implementing PBKDF2 isn't that hard, even in PHP (http://mark-story.com/posts/view/using-bcrypt-for-passwords-... it took me two days to implement, test, and deploy a migration on Rails (and that's only because I'm a cautious SOB who doesn't want to make a mistake affecting customers and we had two tables to do it against with two different password types). If you're offering this to businesses, you should do everything you can to protect their data—even if you are in beta. POF can get away with storing plaintext passwords, or sending them to customers, but you shouldn't do that.