On Saturday 15 February 2003 09:00 am, zope-request@zope.org wrote:

Asad Habib wrote:

...

 Is there any way to access a user's password given the  name of the user?

Why would you want to do that? It's a bit of a security issue...

It actually depends on how the authentication data is actually stored. In my case, I'm using MySQL to do that, so as long as I have the right privileges to do the search, it's simply a matter of running an SQL query. For other user folders, you'll need to do an unrestricted python call (from within a product or an external method). Obviously this is good, since it isn't possible for a restricted pythons script to steal passwords!

...

 Also, once you access the password,  how would you decrypt it You can't, that's the point ;-)

So true. You can of course, *crack* passwords -- but it's an unreliable and difficult process. It's precisely what a good secure hash is trying to avoid! (It's not like the reversible private or public key encryption which can be reversed if you have the key -- I was a little unclear on this distinction myself just last year when I was changing my authentication system). This is a good reason to use plain-text storage of passwords if you think you're going to need this capability. I was originally going to use encrypted passwords on my project, but SimpleUserFolder made this difficult because it didn't give me a way to compare hashes instead of the original passwords (This may not be true anymore, I haven't checked, BTW). But the point is, I realized I wanted to be able to send out reminders (and the data is not so secure that it is really necessary to have high security -- it's more of a privacy password at this point). So the technical difficulty was actually a bit of a blessing in disguise, because it made me stop and think about this issue. I also realized that unless you're using SSL/HTTPS you aren't really that secure anyway -- although you may be storing a secure hash, the password is going plain text through the internet on each login (Someone please correct me if I'm wrong on this point). If so, then what's the point? All you're doing is giving yourself a false sense of security at the cost of considerable inconvenience -- any competent cracker can set up to sniff your passwords anyway.

 > (I would like to email the  > password to a user who has forgotten his)?

You should change their password and email them that new one.

Although I agree that this is the only way to deal with encrypted passwords, it can be very annoying for the user. I decided plain text served my present needs better, partly for this reason. Of course, if you are handling extremely sensitive information (financial data or keys, classified information, extremely personal data like medical records) or other stuff with severe consequences if it's leaked, then you're better off with encrypted and the hassles that come with it. But if it's just a privacy password to keep people from pretending to be other people in forums or something, or from messing up each other's profiles or something, then I don't think it's worth it. And if you *are* going to use encrypted passwords, then you need to set up your site for SSL/HTTPS! Actually, you have to think about what kind of threat is probable -- how can the passwords be stolen? If your database is accessible by other means, or could be compromised, then encrypting the data there really makes sense. But it seems to me that a remote attack, such as sniffing packets is much more likely. Therefore, you'd actually be more secure to use plain text passwords with an SSL/ HTTPS site than to encrypt passwords on a plain HTTP site. Cheers, Terry -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com "Some things are too important to be taken seriously"