I and others have expressed dismay at the fact that the wikipedia database contains plain text user passwords. This would be very easy to fix in the new codebase, but there are several options on how to handle it, some of which are feature changes that ought to be discussed by the list at large.
The intended functionality (and what should be the current functionality of http://www.piclab.com/newwiki/wiki.phtml) is this: new users are created by looking up the name; if the name doesn't already exist, the user is created with the password specified. The user can then log in with that name and password at any time. Logged in status is maintained thoughout a session. If the user has the "remember my password" option turned on, he is logged in even after closing the browser and restarting later. The login form has a button for those who have forgotten their password. If they have entered an email address for their account, their password can be sent to that address (in plain text). This "email password" function is tricky to do without plain text passwords in the database. A user can change his own password at anytime.
As I see it there are three options:
(1) Eliminate the "email my password" feature. This would require people who forgot their passwords either to create new user accounts, or aking an administrator to clear their password (which will be made an option available to administrators). Passwords in the database will then be encrypted.
(2) Change the feature to "email me a new password". Passwords will be encrypted, and when the user forgets his, the system will create a new random password and email _that_. The user will then log and change his password (hopefully to something he can remember).
Plaintext passwords won't exist anywhwere with options 1 or 2--this is the most secure.
(3) Keep the full existing functionality by creating a "shadow" password table with plain text passwords that not even administrators can access (but that a few folks like Jimbo can). This complicates administration, and also might add some latency to functions like creating accounts and changing passwords, but probably not to the basic login. This is the simplest from the user's point of view.
So let me ask the group: is the functionality of sending a plaintext password over email useful enough to justify some extra administration? Is security that important? (There's nothing sensitive in the user table, but people do tend to re-use passwords for several things, so having plain text passwords lying around is probably not a good idea). Which option do you think is best? 0