[Zope] Accessing a user's password

Terry Hancock hancock@anansispaceworks.com
Sat, 15 Feb 2003 13:43:56 -0800


On Saturday 15 February 2003 09:00 am, zope-request@zope.org wrote:
> Asad Habib wrote:
> > Is there any way to access a user's password given the
> > name of the user?
> 
> Why would you want to do that? It's a bit of a security issue...

It actually depends on how the authentication data is actually
stored. In my case, I'm using MySQL to do that, so as long as I
have the right privileges to do the search, it's simply a matter of
running an SQL query.

For other user folders, you'll need to do an unrestricted python
call (from within a product or an external method).  Obviously
this is good, since it isn't possible for a restricted pythons script
to steal passwords!

> > Also, once you access the password,
> > how would you decrypt it
> You can't, that's the point ;-)

So true.

You can of course, *crack* passwords -- but it's an
unreliable and difficult process. It's precisely what
a good secure hash is trying to avoid!  (It's not like
the reversible private or public key encryption which
can be reversed if you have the key -- I was a little
unclear on this distinction myself just last year when
I was changing my authentication system).

This is a good reason to use plain-text storage
of passwords if you think you're going to need this
capability. I was originally going to use encrypted
passwords on my project, but SimpleUserFolder made
this difficult because it didn't give me a way to
compare hashes instead of the original passwords
(This may not be true anymore, I haven't checked,
BTW).

But the point is, I realized I wanted to be able to send
out reminders (and the data is not so secure that it is
really necessary to have high security -- it's more of a
privacy password at this point).  So the technical
difficulty was actually a bit of a blessing in disguise, because
it made me stop and think about this issue.

I also realized that unless you're using SSL/HTTPS you aren't
really that secure anyway -- although you may be storing
a secure hash, the password is going plain text through
the internet on each login (Someone please correct me if
I'm wrong on this point).  If so, then what's the point? All
you're doing is giving yourself a false sense of security at
the cost of considerable inconvenience -- any competent
cracker can set up to sniff your passwords anyway.

>  > (I would like to email the
>  > password to a user who has forgotten his)?
> 
> You should change their password and email them that new one.

Although I agree that this is the only way to deal with encrypted
passwords, it can be very annoying for the user.  I decided
plain text served my present needs better, partly for
this reason.

Of course, if you are handling extremely sensitive information
(financial data or keys, classified information, extremely personal
data like medical records) or other stuff with severe consequences
if it's leaked, then you're better off with encrypted and the hassles
that come with it.

But if it's just a privacy password to keep people from pretending
to be other people in forums or something, or from messing up
each other's profiles or something, then I don't think it's worth it.

And if you *are* going to use encrypted passwords, then you need
to set up your site for SSL/HTTPS!

Actually, you have to think about what kind of threat is probable --
how can the passwords be stolen?  If your database is accessible
by other means, or could be compromised, then encrypting the
data there really makes sense.  But it seems to me that a remote
attack, such as sniffing packets is much more likely.  Therefore, you'd
actually be more secure to use plain text passwords with an SSL/
HTTPS site than to encrypt passwords on a plain HTTP site.

Cheers,
Terry

--
Terry Hancock ( hancock at anansispaceworks.com )
Anansi Spaceworks  http://www.anansispaceworks.com

"Some things are too important to be taken seriously"