[Zope-dev] Proposed proposals: password encryption, ZODB RAM
Shane Hathaway
shane@digicool.com
Mon, 18 Jun 2001 16:56:49 -0400
On Monday 18 June 2001 15:33, Martijn Pieters wrote:
> On Mon, Jun 18, 2001 at 12:28:54PM -0400, Shane Hathaway wrote:
> > 1) Optional password encryption. Right now passwords are stored as
> > clear text. What's interesting is that Zope can already authenticate
> > against SHA encrypted passwords, it just won't encrypt user passwords
> > unless you force it to. As a test of Zope's ability to authenticate
> > against encrypted passwords, I sneakily implemented the "inituser"
> > changes with SHA encryption by default. That means that the password
> > for the initial user stored in the database is not possible to decrypt
> > and yet nobody has had any problems with it AFAIK. Since it has been
> > successful, I'd like to suggest we add a checkbox to basic user folders
> > that enables encryption for new passwords, and have it turned on by
> > default. The risk is incompatibility with HTTP digest auth, which I
> > imagine nobody is using right now.
>
> There is already a proposal for this:
>
> http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords
>
> You could, of course, create a counter proposal..
I'm suggesting a checkbox that enables and disables encryption. Enabling
encryption is actually very simple--I've had it enabled on my own box for
nearly a year. :-)
Shane