[Zope-DB] Plaintext Password Concerns

Cliff Ford Cliff.Ford@ed.ac.uk
Fri, 16 May 2003 04:10:41 +0100

\"David A. Riggs\" wrote:
> Our University would like to give out Zope accounts for
> groups of students so they may experiment and work on
> various projects. One key feature that people would like
> to use is connectivity to a PostgreSQL database.
> We take security very seriously and would like some way
> around storing plaintext passwords in the connection
> strings for the Psycopg Database Connectors. Has anyone
> come up with some alternative to this or a solution to
> this possible security hazard?
> David A. Riggs
> lukewarm@ultrasoul.com
> West Virginia University CS/EE

The solution to this problem for my Department involved a modification 
to exUserFolder. For authentication a login/logout call is made on the 
University IMAP mail server (the Username/Password form is submitted 
using https). If that works we have a known unique University username - 
and the Department does not know what the passwords are or provide any 
mechanism for maintaining them - that is taken care of by the mail 
system (and the users don't have to have yet another Username-Password 
combination to remember). Next, the user is looked up in the Department 
database to set the role. That allows us to distinguish between folk who 
are allowed to create material and the rest of the University. We make 
heavy use of local roles managed programmatically. So, for example, a 
user only has to click a link to create a Home page and become its 
Manager through the local role. There is only one exUserFolder acl_users 
folder for the entire site, one level down from the root which normal 
users can't see or access. It seems to work very well. However, the site 
has not yet been made public so there is still time for someone to point 
out any flaws in this approach. The database does not matter - we have 
used both Oracle and MySQL in development. The Password field is not 
used - well actually we have one or two people who are not members of 
the University and therefore do not have mail accounts - so the field is 
used for them - I have one (or more) test accounts via this route.