Sorry if I'm misunderstanding the current conversation. The difference seems to be that a Mailman user is only dealing with e-mail however a Zope user may be making purchases and therefore their password may be more sensitive. Many regards Neil Ellis

-----Original Message----- From: barry@digicool.com [SMTP:barry@digicool.com] Sent: 07 June 2001 15:29 To: Joachim Werner Cc: Jerome Alet; zope@zope.org Subject: Re: [Zope] Major security flaw in Zope 2.3.2

...

...

...

...

...

"JW" == Joachim Werner <joe@iuveno-net.de> writes:

JW> I am really not against encrypted passwords. DC should JW> implement this soon. AFAIK the only reason for passwords not JW> being encrypted yet was that the encryption modules needed JW> were not available for all platforms or so.

I'm coming in totally in the middle of this thread, and I only follow this list tangentially, but I thought I'd comment w.r.t. my experience in Mailman.

One reason to keep passwords in the clear is to provide a mail-back service when a user forgets his or her password. If you store them in encrypted form, you can't really do this. (You could store user-supplied hints and mail those back, but that doesn't seem to work to well in my experience. I haven't seen any usability studies to say whether that's a useful approach or not.)

In Mailman, we keep user passwords in the clear so we can do the monthly password reminders. However, the list admin passwords are kept as a sha1 hash - not in the clear. That means that if a list admin forgets his password, it's up to the site admin to assign them a new password. So far, this has been a workable trade-off.

We have the advantage that user passwords don't protect a highly valuable resource; the worst that can happen is that they'll get unsubscribed from a list. Bad, but not catastrophic. List and site admin passwords are more valuable, so they affort a higher degree of security (and necessarily, less convenience).

Side note: Mailman doesn't -- by default -- have SSL for its login pages, although I'm aware that some sites have augmented their Mailman installations to provide this. It would probably be a good idea to someday bundled this functionality.

Cheers, -Barry

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )