[Zope] Security: acl_users' passwds encrypted?

[Fred Yankowski]

Even using Cookie mode authentication with the LoginManager product,
the user/password data is merely base64 encoded (not encrypted).

Someday I like to get a challenge/response authentication going, where
the server sends a one-time challenge value and the client/browser
uses MD5 (via javascript) to hash the user's password combined with
that one-time code.  This works great in PHPlib.  But I don't
understand the architecture of LoginManager well enough yet to hack
it.

Someone pointed out that the ArsDigita Community System (for AOLserver
("openNSD"!)) also has a well-thought-out user authentication system
that might serve as a good model for extending LoginManager.

On Thu, Feb 08, 2001 at 09:01:51PM +0300, Oleg Broytmann wrote:
>    It depends on whether you use HTTP or HTTPS. On HTTP passwords go
> absoluteley unencripted.

-- 
Fred Yankowski           fred@OntoSys.com      tel: +1.630.879.1312
Principal Consultant     www.OntoSys.com       fax: +1.630.879.1370
OntoSys, Inc             38W242 Deerpath Rd, Batavia, IL 60510, USA