So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)?
Look for them in /++etc++site/default/PersistentSessionDataContainer, inside the numerous SessionCredentials objects. I would like to release zope.pluggableauth 1.2 with this change: http://zope3.pov.lt/trac/changeset/118971/zope.pluggableauth so that people could supply a different SessionCredentials implementation if they so desire. For example, they could use keas.kmi.persistent.EncryptedPersistent as a base class. Any comments/objections/better suggestions? That still leaves the default behaviour being broken. I'm not feeling up to the task of redesigning zope.pluggableauth so it wouldn't need to keep a copy of the user's credentials persistently. Any takers? By the way, that would be a nice opportunity to fix a few other Zope3/BlueBream authentication issues: * It's *insanely complicated* to log user logins and logouts, if you need an accurate audit log. Or if you want to count the number of failed login attempts. * It's *insanely complicated* (if not impossible) to try to use your own Principal classes. * The default password hashing and salting scheme (SSHA) used by the principal folder is weak. See http://codahale.com/how-to-safely-store-a-password/ http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html * The password checking code in zope.password is susceptible to a timing attack. See http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development
Description: Digital signature
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )