#818: implement site_secret in passwords
--------------------------------+-------------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: anonymous
Type: enhancement | Status: new
Priority: normal | Milestone: 1.1
Component: Identity | Version: 0.9a5
Severity: trivial | Resolution:
Keywords: |
--------------------------------+-------------------------------------------
Comment (by godoy):
I'm -1 on this. Specially because it makes one more point that need to be
checked if your applications share the same database (different schemas or
even the same schema) and userbase. Besides, this will just make it one
more step to reproduce what you said: MD5 a dictionary as site secret then
use it together with the dictionary again to get MD5 for passwords.
It is better to enforce high quality passwords using other means --- PAM,
for example, can use cracklib to check for strong or weak passwords and
only the superuser can set a weak password --- that are easy to find.
This is very specific and providing this with the same default for all
applications won't enhance security; providing this with different
"sitesecret" will make integrating applications harder.
Did I say that I'm -1 on this? ;-)
--
Ticket URL: <http://trac.turbogears.org/turbogears/ticket/818>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Tickets" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets
-~----------~----~----~----~------~----~------~--~---
