#2289: Don't transmit cleartext passwords over the network
-------------------------+--------------------------------------------------
Reporter: pitrou | Owner:
Type: enhancement | Status: new
Priority: low | Milestone: 2.1
Component: TurboGears | Version: 2.0b7
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
Current login forms created by TurboGears transmit the password as a
normal, cleartext form parameter. It would not be that difficult to remove
cleartext transmission by using an e.g. SHA1 implementation written in
Javascript (there are some on the Internet). I did it years ago (using MD5
at the time) for a PHP-written CMS. It doesn't defeat all kinds of attacks
(man in the middle could only be protected against through HTTPS) but at
least the passwords can't be sniffed.
However, a more annoying problem would be deciding when the hashed
password is sufficient and when the cleartext password is really needed
for authentication (the default database-backed authentication scheme only
needs the hashed password, but other auth schemes like LDAP could need the
cleartext password).
--
Ticket URL: <http://trac.turbogears.org/ticket/2289>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
