[Zope] Security glitch on user-editing form
Alexander Staubo
alex@mop.no
Tue, 11 May 1999 22:22:58 +0200
Any one-way encryption method will work, but why not modularized
authentication support? Something that would permit you to use anything
from one-way-encryption to Kerberos to LDAP, but not necessarily just a
fixed algorithm. LDAP is an interesting possibility, but I don't like
the idea of being stapled to LDAP -- it's overkill for most
installations.
Alexander Staubo
http://www.mop.no/~alex/
mailto:redhand@mop.no
>-----Original Message-----
>From: Rob Page [mailto:rob.page@digicool.com]
>Sent: 11. mai 1999 22:10
>To: 'Alexander Staubo'
>Cc: 'zope@zope.org'
>Subject: RE: [Zope] Security glitch on user-editing form
>
>
>> I just found that Zope presents the user-editing form (manage_users)
>> with the password in plaintext. That's a bit crude.
>>
>
>As an example of our Open Source business model a current customer is
>rather interested in LDAP and has asked us to develop some Zope
>integration for it. LDAP stores the _hash_ of users' passwords (e.g.,
>crypt, MD5, SHA). Our LDAP effort will be very sensitive to this
>approach.
>
>What are people's thoughts on storing password hashes instead of the
>plaintext password? Of course, it would become impossible to offer the
>"You Forgot Your Password For the Fifteenth Time" email messages...
>
>Idea? Comments?
>
>--Rob
>