[Zope] Major security flaw in Zope 2.3.2

[Barry A. Warsaw]

>>>>> "JW" == Joachim Werner <joe@iuveno-net.de> writes:

    JW> I am really not against encrypted passwords. DC should
    JW> implement this soon.  AFAIK the only reason for passwords not
    JW> being encrypted yet was that the encryption modules needed
    JW> were not available for all platforms or so.

I'm coming in totally in the middle of this thread, and I only follow
this list tangentially, but I thought I'd comment w.r.t. my experience
in Mailman.

One reason to keep passwords in the clear is to provide a mail-back
service when a user forgets his or her password.  If you store them in
encrypted form, you can't really do this.  (You could store
user-supplied hints and mail those back, but that doesn't seem to work
to well in my experience.  I haven't seen any usability studies to say
whether that's a useful approach or not.)

In Mailman, we keep user passwords in the clear so we can do the
monthly password reminders.  However, the list admin passwords are
kept as a sha1 hash - not in the clear.  That means that if a list
admin forgets his password, it's up to the site admin to assign them a
new password.  So far, this has been a workable trade-off.

We have the advantage that user passwords don't protect a highly
valuable resource; the worst that can happen is that they'll get
unsubscribed from a list.  Bad, but not catastrophic.  List and site
admin passwords are more valuable, so they affort a higher degree of
security (and necessarily, less convenience).

Side note: Mailman doesn't -- by default -- have SSL for its login
pages, although I'm aware that some sites have augmented their Mailman
installations to provide this.  It would probably be a good idea to
someday bundled this functionality.

Cheers,
-Barry