[Zope-dev] Plain-text passwords in your ZODB
Tres Seaver
tseaver at palladion.com
Thu Dec 16 18:55:56 EST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/16/2010 02:58 PM, Marius Gedminas wrote:
> On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
>> Marius Gedminas wrote:
>>> So, did you know that by default Zope stores a copy of every user's
>>> username and password in your ZODB, in plain text, on every login that
>>> uses forms and sessions (rather than HTTP basic auth)?
>>
>> By "Zope" you mean Zope 3, ZTK, Bluebream ...?
>
> All of the above. More specifically, zope.pluggableauth (and, I assume,
> zope.app.authentication before that).
>
> I haven't looked at Zope 2, sorry.
I would venture to say that almost nobody in the Z2 world uses
zope.pluggableauth: they use Products.PluggableAuthService or another
Z2-specific solution.
The SessionAuth plugin for PAS does put the credentials in the session,
IIRC.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk0KpwwACgkQ+gerLs4ltQ4ZbgCfTIRoADkXyPhBztb9+4VXhwJL
CoQAn1LurSsNxxPTLG+wVXPxgsMe8ifZ
=E+JK
-----END PGP SIGNATURE-----
More information about the Zope-Dev
mailing list