[Zope-dev] Plain-text passwords in your ZODB

Marius Gedminas marius at gedmin.as
Thu Dec 16 14:58:24 EST 2010


On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
> Marius Gedminas wrote:
> > So, did you know that by default Zope stores a copy of every user's
> > username and password in your ZODB, in plain text, on every login that
> > uses forms and sessions (rather than HTTP basic auth)?
> 
> By "Zope" you mean Zope 3, ZTK, Bluebream ...?

All of the above.  More specifically, zope.pluggableauth (and, I assume,
zope.app.authentication before that).

I haven't looked at Zope 2, sorry.

Marius Gedminas
-- 
http://pov.lt/ -- Zope 3/BlueBream consulting and development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20101216/d874b84d/attachment.bin 


More information about the Zope-Dev mailing list