On Tuesday, April 18, 2017 at 2:19:30 PM UTC-7, lucas wrote:
>
> hello one and all,
>
> what about this for 
> https://groups.google.com/forum/#!topic/web2py/4eWj_BlGWjc and I started 
> this new thread because I think it is different subject then the latter 
> link.
>
> what if I sent the password as straight text in the form?  meaning it is 
> decoded from the database, sent to and from as straight text, displayed as 
> straight text, and then encoded before it is stored back in the database. 
>  see I am setting up managers for each firm in my model.  and a manager 
> works at the firm and can insert and update new logins/users for only their 
> own firm.  so I don't believe it is necessary for the managers to see the 
> **** for the password.  the managers are allowed to change the passwords of 
> the other users.
>
> if you think is really a terrible idea for security reasons, please let me 
> know and why.
>
> if you think it is fine to setup managers with this level of control, then 
> please tell me how to decode and encode the passwords under web2py.
>
>
most password reset schemes only allow managers (or helpdeskians) to force 
a new password.  In some schemes, they don't know what the new password is, 
just that a new one has been forced (temporary passwords can be random, and 
are often cut-and-pasted by the email recipient).  

This  (manager blindness) is good for users because users have a tendency  
to reuse passwords.  It's one thing for a manager to know what the 
temporary password is when it may expire in hours and won't work on other 
sign-ins the user does, it's another thing for them to see that Joe always 
uses NCC-1701.

Furthermore, the encryption functions web2py uses are essentially one-way.  
There is no easy way to decrypt.  web2py, during logins, only encrypts the 
submitted password and then compares encrypted versions.  Of course, if you 
have a spare GPU around, you can try brute-force attacks.

/dps


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to