[Zope] Security glitch on user-editing form

Rob Page rob.page@digicool.com
Tue, 11 May 1999 15:59:25 -0400


>  I just found that Zope presents the user-editing form (manage_users)
>  with the password in plaintext. That's a bit crude.
>  

As an example of our Open Source business model a current customer is
rather interested in LDAP and has asked us to develop some Zope
integration for it.  LDAP stores the _hash_ of users' passwords (e.g.,
crypt, MD5, SHA).  Our LDAP effort will be very sensitive to this
approach.

What are people's thoughts on storing password hashes instead of the
plaintext password?  Of course, it would become impossible to offer the
"You Forgot Your Password For the Fifteenth Time" email messages...

Idea?  Comments?

--Rob