[Zope] Major security flaw in Zope 2.3.2

[Hannu Krosing]

Jerome Alet wrote:
> 
> I understand that there's the problem of existing third party products
> which may expect unencrypted passwords: just do it anyway and inform
> people. I suppose there won't be hundreds of such third party products.
> 
> Just do a poll: does any reader of this list expects such a bad
> behavior in his own Zope products ?

Afaik, the only bad behaviour from hashing (_not_ encrypting) the
passwords
would be the impossibility to use password verification methods that
don't
send cleartext passwords over the wire (challenge-response password
exchange).

But as the preferred method for avoid password sniffing is using ssl
anyway I 
don't think it is too much of a problem.

-----------------
Hannu