[Zope-dev] Plain-text passwords in your ZODB

Wichert Akkerman wichert at wiggy.net
Fri Dec 17 02:28:23 EST 2010


On 12/17/10 00:55 , Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/16/2010 02:58 PM, Marius Gedminas wrote:
>> On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
>>> Marius Gedminas wrote:
>>>> So, did you know that by default Zope stores a copy of every user's
>>>> username and password in your ZODB, in plain text, on every login that
>>>> uses forms and sessions (rather than HTTP basic auth)?
>>>
>>> By "Zope" you mean Zope 3, ZTK, Bluebream ...?
>>
>> All of the above.  More specifically, zope.pluggableauth (and, I assume,
>> zope.app.authentication before that).
>>
>> I haven't looked at Zope 2, sorry.
>
> I would venture to say that almost nobody in the Z2 world uses
> zope.pluggableauth:  they use Products.PluggableAuthService or another
> Z2-specific solution.
>
> The SessionAuth plugin for PAS does put the credentials in the session,
> IIRC.

For Plone we use plone.session to manage authentication sessions. 
plone.session does not require any ZODB writes or storing of passwords, 
plaintext or otherwise. It is probably portable to zope.pluggableauth.

Wichert.


More information about the Zope-Dev mailing list