On Tuesday, April 18, 2017 at 2:19:30 PM UTC-7, lucas wrote: > > hello one and all, > > what about this for > https://groups.google.com/forum/#!topic/web2py/4eWj_BlGWjc and I started > this new thread because I think it is different subject then the latter > link. > > what if I sent the password as straight text in the form? meaning it is > decoded from the database, sent to and from as straight text, displayed as > straight text, and then encoded before it is stored back in the database. > see I am setting up managers for each firm in my model. and a manager > works at the firm and can insert and update new logins/users for only their > own firm. so I don't believe it is necessary for the managers to see the > **** for the password. the managers are allowed to change the passwords of > the other users. > > if you think is really a terrible idea for security reasons, please let me > know and why. > > if you think it is fine to setup managers with this level of control, then > please tell me how to decode and encode the passwords under web2py. > > most password reset schemes only allow managers (or helpdeskians) to force a new password. In some schemes, they don't know what the new password is, just that a new one has been forced (temporary passwords can be random, and are often cut-and-pasted by the email recipient).
This (manager blindness) is good for users because users have a tendency to reuse passwords. It's one thing for a manager to know what the temporary password is when it may expire in hours and won't work on other sign-ins the user does, it's another thing for them to see that Joe always uses NCC-1701. Furthermore, the encryption functions web2py uses are essentially one-way. There is no easy way to decrypt. web2py, during logins, only encrypts the submitted password and then compares encrypted versions. Of course, if you have a spare GPU around, you can try brute-force attacks. /dps -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
