I've implemented web systems with hash&salt/bcrypt password systems.

I'm pretty sure i could find a way to do it in the PM codebase. But that would require giving me access to an "offline" dev copy with complete code and database access to do many test runs, prefereably a recent database dump with all the passwords reset to random strings. So this is rather unlikely to ever happen.

In my opinion, a LOT of the dev backlog on PerlMonks stems from the fact that the ONLY system to develop new features is the live system...

Fixing it is actually our #1 priority. I just haven't done it because it's extremely complicated and I don't know how to do it.

I don't know how to do it either...I'm almost certainly less close to knowing than you are...

But happy to help where I can...what can I usefully do?

Not sure what all jdporter had in mind, but bcrypted passwords seems like it is towards the top of the list. And emailing password reset links instead of passwords is kind of a prerequisite for that.


--
A math joke: r = | |csc(θ)|+|sec(θ)| |-| |csc(θ)|-|sec(θ)| |

... bcrypted passwords ... emailing password reset links ...

Those would certainly be big improvements. But something even more secure and convenient, such as OIDC, would be preferrable, imho.

but bcrypted passwords seems like it is towards the top of the list. And emailing password reset links instead of passwords

Absolutely!

But The Monastery is littered with similar suggestions. They usually amount to it being a "good idea" but nobody has the resources (skills, access, time, etc) to actually shoehorn it into the existing architecture.

It seems to me that a rewrite would be an easier solution and then to either port all the existing for existing threads in or else keep the existing site as an archive. After all, the core parts of PM are not exactly difficult to create...