Re: [Zope-dev] Plain-text passwords in your ZODB
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marius Gedminas wrote: So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)? By Zope you mean Zope 3, ZTK, Bluebream ...? Andreas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJNCmr8AAoJEADcfz7u4AZjECgLwMBt7xcFw/WmgM3I6NtahSTI OOQtb/lfg4MLIO4cpncdaISZCa6+g0JHgluDWNTtwwsP9t2FwAIWW/xSDqh6l8Ex fh0BTd3za2LZBp3p6bkxqFq6PZwEw7kBnEX9T6N0R4dKTeBeKhWl3TGA9dmjlYzI Tmy9nJp2qUN0svhVuRt/Ezvwl3ag36r6v6Hn3XVMGQOkAq4BOuXFeTugnlcSQ9dA FfntsK1USQ7XiIxV/7vYGEiJYgoVAjVFGPzmpSfaIlyKTh/rLpbHn0J+Wom52ARx 1/JvWZ5gE+zkWT6WD+urNtw98wbJsF0LB4IxakahCfagBur/sowLZyKUomcUFRQB EyeW3+9SBL0ZV8Zju4q6iV0SPUkDJUewIfWIpvzi50Tc3SdcwJXl/YKXRk3a1S7P M6yH0fKfxPzwKl5F2Quttul8lI58ZlNX/UCBhbuq+5AoTJL3/+DboiRAqR1BMvcR gz26Seni3bXJPZ4BjIgNsRUPu5cusAA= =f+jf -END PGP SIGNATURE- attachment: lists.vcf___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plain-text passwords in your ZODB
On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote: Marius Gedminas wrote: So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)? By Zope you mean Zope 3, ZTK, Bluebream ...? All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that). I haven't looked at Zope 2, sorry. Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plain-text passwords in your ZODB
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/16/2010 02:58 PM, Marius Gedminas wrote: On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote: Marius Gedminas wrote: So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)? By Zope you mean Zope 3, ZTK, Bluebream ...? All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that). I haven't looked at Zope 2, sorry. I would venture to say that almost nobody in the Z2 world uses zope.pluggableauth: they use Products.PluggableAuthService or another Z2-specific solution. The SessionAuth plugin for PAS does put the credentials in the session, IIRC. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KpwwACgkQ+gerLs4ltQ4ZbgCfTIRoADkXyPhBztb9+4VXhwJL CoQAn1LurSsNxxPTLG+wVXPxgsMe8ifZ =E+JK -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )