[Zope-dev] Proposed proposals: password encryption, ZODB RAM

Shane Hathaway shane@digicool.com
Mon, 18 Jun 2001 16:56:49 -0400


On Monday 18 June 2001 15:33, Martijn Pieters wrote:
> On Mon, Jun 18, 2001 at 12:28:54PM -0400, Shane Hathaway wrote:
> > 1) Optional password encryption.  Right now passwords are stored as
> > clear text.  What's interesting is that Zope can already authenticate
> > against SHA encrypted passwords, it just won't encrypt user passwords
> > unless you force it to.  As a test of Zope's ability to authenticate
> > against encrypted passwords, I sneakily implemented the "inituser"
> > changes with SHA encryption by default.  That means that the password
> > for the initial user stored in the database is not possible to decrypt
> > and yet nobody has had any problems with it AFAIK.  Since it has been
> > successful, I'd like to suggest we add a checkbox to basic user folders
> > that enables encryption for new passwords, and have it turned on by
> > default.  The risk is incompatibility with HTTP digest auth, which I
> > imagine nobody is using right now.
>
> There is already a proposal for this:
>
>   http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords
>
> You could, of course, create a counter proposal..

I'm suggesting a checkbox that enables and disables encryption.  Enabling
encryption is actually very simple--I've had it enabled on my own box for
nearly a year. :-)

Shane