[Zope-dev] Plain-text passwords in your ZODB

Marius Gedminas marius at gedmin.as
Thu Dec 16 14:21:30 EST 2010 

So, did you know that by default Zope stores a copy of every user's
username and password in your ZODB, in plain text, on every login that
uses forms and sessions (rather than HTTP basic auth)?

Look for them in /++etc++site/default/PersistentSessionDataContainer,
inside the numerous SessionCredentials objects.

I would like to release zope.pluggableauth 1.2 with this change:
http://zope3.pov.lt/trac/changeset/118971/zope.pluggableauth

so that people could supply a different SessionCredentials
implementation if they so desire.  For example, they could use
keas.kmi.persistent.EncryptedPersistent as a base class.

Any comments/objections/better suggestions?


That still leaves the default behaviour being broken.  I'm not feeling
up to the task of redesigning zope.pluggableauth so it wouldn't need to
keep a copy of the user's credentials persistently.  Any takers?  By the
way, that would be a nice opportunity to fix a few other Zope3/BlueBream
authentication issues:

  * It's *insanely complicated* to log user logins and logouts, if you
    need an accurate audit log.  Or if you want to count the number of
    failed login attempts.

  * It's *insanely complicated* (if not impossible) to try to use your own
    Principal classes.

  * The default password hashing and salting scheme (SSHA) used by the
    principal folder is weak.  See

      http://codahale.com/how-to-safely-store-a-password/
      http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

  * The password checking code in zope.password is susceptible to a timing
    attack.  See

      http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/


Marius Gedminas
-- 
http://pov.lt/ -- Zope 3/BlueBream consulting and development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20101216/936a321e/attachment.bin

More information about the Zope-Dev mailing list