So, did you know that by default Zope stores a copy of every user's
username and password in your ZODB, in plain text, on every login that
uses forms and sessions (rather than HTTP basic auth)?

Look for them in /++etc++site/default/PersistentSessionDataContainer,
inside the numerous SessionCredentials objects.

I would like to release zope.pluggableauth 1.2 with this change:

so that people could supply a different SessionCredentials
implementation if they so desire.  For example, they could use
keas.kmi.persistent.EncryptedPersistent as a base class.

Any comments/objections/better suggestions?

That still leaves the default behaviour being broken.  I'm not feeling
up to the task of redesigning zope.pluggableauth so it wouldn't need to
keep a copy of the user's credentials persistently.  Any takers?  By the
way, that would be a nice opportunity to fix a few other Zope3/BlueBream
authentication issues:

  * It's *insanely complicated* to log user logins and logouts, if you
    need an accurate audit log.  Or if you want to count the number of
    failed login attempts.

  * It's *insanely complicated* (if not impossible) to try to use your own
    Principal classes.

  * The default password hashing and salting scheme (SSHA) used by the
    principal folder is weak.  See

  * The password checking code in zope.password is susceptible to a timing
    attack.  See

Marius Gedminas
-- -- Zope 3/BlueBream consulting and development

Attachment: signature.asc
Description: Digital signature

Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to