[Zope] Re: PAS and md5 or crypt passwords

Robert (Jamie) Munro jamie at textmatters.com
Mon Oct 16 06:28:50 EDT 2006


Piotr Furman wrote:
> 
>> I've edited GMailAuthPlugin, renamed it MD5AuthPlugin, added that code
>> and removed the google specific code. It doesn't give any errors, but it
>> also doesn't let me log in. I've tried adding a line to log things, but
>> that doesn't seem to be working either.
>>
> 
> Maybe You should take a look at SQLPASPlugin -
> http://plone.org/products/sqlpasplugin - there are some SHA encryption
> possibilities, however they are commented by default.
> So You would have to modify it's code little bit.

That's what I was using before. I had no idea that it supported SHA, or
that it was so easy to add MD5. That has solved my problem - Thanks

It's a pretty silly implementation, though. The point of hashing
passwords with MD5 or SHA1 is that if an attacker can read the password
files due to some kind of security leak, he still doesn't have the
passwords themselves, so he still can't login. Unfortunately, the way it
is implemented in SQLPASPlugin, the fact that he doesn't have the
password doesn't matter because if you put the hash itself in the
password field, you are allowed into the site.

It doesn't matter too much for my application, but it's something that
should probably be fixed.

Thanks for everyone's advice, though.

Robert (Jamie) Munro



More information about the Zope mailing list