[Zope-dev] Proposed proposals: password encryption, ZODB RAM

[Martijn Pieters]

On Mon, Jun 18, 2001 at 12:28:54PM -0400, Shane Hathaway wrote:
> 1) Optional password encryption.  Right now passwords are stored as 
> clear text.  What's interesting is that Zope can already authenticate 
> against SHA encrypted passwords, it just won't encrypt user passwords 
> unless you force it to.  As a test of Zope's ability to authenticate 
> against encrypted passwords, I sneakily implemented the "inituser" 
> changes with SHA encryption by default.  That means that the password 
> for the initial user stored in the database is not possible to decrypt 
> and yet nobody has had any problems with it AFAIK.  Since it has been 
> successful, I'd like to suggest we add a checkbox to basic user folders 
> that enables encryption for new passwords, and have it turned on by 
> default.  The risk is incompatibility with HTTP digest auth, which I 
> imagine nobody is using right now.

There is already a proposal for this:

  http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords

You could, of course, create a counter proposal..

-- 
Martijn Pieters
| Software Engineer  mailto:mj@digicool.com
| Digital Creations  http://www.digicool.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------