On Monday 18 June 2001 15:33, Martijn Pieters wrote:
On Mon, Jun 18, 2001 at 12:28:54PM -0400, Shane Hathaway wrote:
1) Optional password encryption. Right now passwords are stored as clear text. What's interesting is that Zope can already authenticate against SHA encrypted passwords, it just won't encrypt user passwords unless you force it to. As a test of Zope's ability to authenticate against encrypted passwords, I sneakily implemented the "inituser" changes with SHA encryption by default. That means that the password for the initial user stored in the database is not possible to decrypt and yet nobody has had any problems with it AFAIK. Since it has been successful, I'd like to suggest we add a checkbox to basic user folders that enables encryption for new passwords, and have it turned on by default. The risk is incompatibility with HTTP digest auth, which I imagine nobody is using right now.
There is already a proposal for this:
http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords
You could, of course, create a counter proposal..
I'm suggesting a checkbox that enables and disables encryption. Enabling encryption is actually very simple--I've had it enabled on my own box for nearly a year. :-) Shane