11 May
1999
11 May
'99
7:59 p.m.
I just found that Zope presents the user-editing form (manage_users) with the password in plaintext. That's a bit crude.
As an example of our Open Source business model a current customer is rather interested in LDAP and has asked us to develop some Zope integration for it. LDAP stores the _hash_ of users' passwords (e.g., crypt, MD5, SHA). Our LDAP effort will be very sensitive to this approach. What are people's thoughts on storing password hashes instead of the plaintext password? Of course, it would become impossible to offer the "You Forgot Your Password For the Fifteenth Time" email messages... Idea? Comments? --Rob