On 10/15/2009 01:09 PM, Vincent Massol wrote: > > On Oct 15, 2009, at 10:56 AM, Sergiu Dumitriu wrote: > >> On 10/14/2009 06:59 PM, [email protected] wrote: >>> Hello Developers, >>> >>> This message is sent by XWiki. Here are the documents in your >>> watchlist >>> that have been modified since the last notification: >> >>> XWiki.flavius >>> >>> >>> Between 2009/10/12 15:15 and 2009/10/12 15:17, the document >>> has >>> been modified 2 times, by 2 user(s): Flavius Olaru, Jerome >>> Velociter >>> >>> XWiki.XWikiUsers >>> password: >>> hash:SHA-512:ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ffhash:SHA-512:01ee4ab961b2f3f35fce8412d7facc44cd68782ed1b1810e849f21420583df04bee183d2b740d33417584e14fbc0dfc9d6232d2ce814012146840a69fdb2f31f >>> author: XWiki.jvelociter> XWiki.flavius >> >> ^^^ >> This is not right. > > I was wondering too. Can you be more specific about what's not right?
Password changes should not be sent in plain text on this email. Fortunately the default password is hashed, but: - this is configurable, so some wikis could have plain text passwords - hashes are getting easier to break, with advances in cryptography and mass computing - other classes could use custom unencrypted password fields - most other places where fields are displayed hide the password (XML export, access throught the API, the object editor...) So, we either don't display it at all, or we display a generic "password: this value has changed" -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
