[Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords.

2013-07-19 Thread Thibault Fevry
Thibault Fevry added the comment: Still, I believe letting people know password hashes is not very good practice, since every known website when they have have a security issue and have a risk that their database passwords hashes stolen ask their users to reset them. Sure it makes it *hard* an

[Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords.

2013-07-19 Thread R David Murray
R David Murray added the comment: Because sorting is a generic interface. You'd have to add special code to deny sorting by password. But as Martin says, it's not a security issue. -- nosy: +r.david.murray ___ PSF Meta Tracker

[Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords.

2013-07-19 Thread Marc-Andre Lemburg
Marc-Andre Lemburg added the comment: Why does the Roundup interface allow sorting on passwords (or password hashes) ? ___ PSF Meta Tracker ___

[Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords.

2013-07-19 Thread Martin v . Löwis
Martin v. Löwis added the comment: iwontbecreative: your conclusion is incorrect. The database doesn't store plain text passwords, but hashes, so it sorts on hash. With that, it is not possible to recover a user's password. -- nosy: +loewis status: unread -> resolved _

[Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords.

2013-07-15 Thread Thibault Fevry
New submission from Thibault Fevry: As explained in issue 519, one can sort usernames using the password key : http://bugs.python.org/user?@sort=password This allows for a user to modify his password and see where he stands until he guesses another password. This being easy to script seeing