I just noticed the default option for the stock User Folder is to not encrypt passwords. Why? Shouldn't any web server that gets exposed to the real world error on the side more security and less convenience?
This is a backwards compatibility measure, from what I remember... ----- Original Message ----- From: "Charlie Reiman" <creiman@kefta.com> To: <zope@zope.org> Sent: Tuesday, August 20, 2002 12:49 PM Subject: [Zope] User Folder default behavior
I just noticed the default option for the stock User Folder is to not encrypt passwords.
Why? Shouldn't any web server that gets exposed to the real world error on the side more security and less convenience?
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Okay. That seems reasonable. But it brings up a second question: Is it supposed to work? I turned on encrytption, then clicked on "update passwords". I was then completely unable to sign on with any of those accounts. I had to create the emergency user, turn off encryption, and change the user passwords to force them to store as clear text again. I've done this on two different servers so far with identical results (both 2.5.1). Does anyone have this turned on and working?
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Chris McDonough Sent: Tuesday, August 20, 2002 10:53 AM To: Charlie Reiman; zope@zope.org Subject: Re: [Zope] User Folder default behavior
This is a backwards compatibility measure, from what I remember...
----- Original Message ----- From: "Charlie Reiman" <creiman@kefta.com> To: <zope@zope.org> Sent: Tuesday, August 20, 2002 12:49 PM Subject: [Zope] User Folder default behavior
I just noticed the default option for the stock User Folder is to not encrypt passwords.
Why? Shouldn't any web server that gets exposed to the real world error on the side more security and less convenience?
Charlie Reiman wrote:
Okay. That seems reasonable. But it brings up a second question: Is it supposed to work?
I turned on encrytption, then clicked on "update passwords". I was then completely unable to sign on with any of those accounts. I had to create the emergency user, turn off encryption, and change the user passwords to force them to store as clear text again.
I've done this on two different servers so far with identical results (both 2.5.1). Does anyone have this turned on and working?
Yes, I have, with the same caveat. Funnily the starting message of this thread alerted me to this option in 2.5 (before I used 2.3.3). Did the same thing as you, "update passwords", and was immediatly logged out (403). Had also to resort to emergency user. Anyway, I deleted the accounts and recreated them, now it apparently works with encryption. Maybe it doesn't work when a user which is defined in this same folder starts the password updating process. cheers, oliver
Issue logged. http://collector.zope.org/Zope/529
-----Original Message----- From: Oliver Bleutgen [mailto:myzope@gmx.net] Sent: Tuesday, August 20, 2002 2:52 PM To: Charlie Reiman Cc: Chris McDonough; zope@zope.org Subject: Re: [Zope] User Folder default behavior
Charlie Reiman wrote:
Okay. That seems reasonable. But it brings up a second question: Is it supposed to work?
I turned on encrytption, then clicked on "update passwords". I was then completely unable to sign on with any of those accounts. I had to create the emergency user, turn off encryption, and change the user passwords to force them to store as clear text again.
I've done this on two different servers so far with identical results (both 2.5.1). Does anyone have this turned on and working?
Yes, I have, with the same caveat.
Funnily the starting message of this thread alerted me to this option in 2.5 (before I used 2.3.3). Did the same thing as you, "update passwords", and was immediatly logged out (403). Had also to resort to emergency user.
Anyway, I deleted the accounts and recreated them, now it apparently works with encryption.
Maybe it doesn't work when a user which is defined in this same folder starts the password updating process.
cheers, oliver
Bummer man. :-( Thanks for logging the issue. I'm surprised no one brought it up before. - C On Tue, 2002-08-20 at 17:51, Oliver Bleutgen wrote:
Charlie Reiman wrote:
Okay. That seems reasonable. But it brings up a second question: Is it supposed to work?
I turned on encrytption, then clicked on "update passwords". I was then completely unable to sign on with any of those accounts. I had to create the emergency user, turn off encryption, and change the user passwords to force them to store as clear text again.
I've done this on two different servers so far with identical results (both 2.5.1). Does anyone have this turned on and working?
Yes, I have, with the same caveat.
Funnily the starting message of this thread alerted me to this option in 2.5 (before I used 2.3.3). Did the same thing as you, "update passwords", and was immediatly logged out (403). Had also to resort to emergency user.
Anyway, I deleted the accounts and recreated them, now it apparently works with encryption.
Maybe it doesn't work when a user which is defined in this same folder starts the password updating process.
cheers, oliver
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Charlie Reiman -
Chris McDonough -
Oliver Bleutgen