The password are hashed not encrypted (also known as a one-way- encryption). A hacker getting access to the passwords file cannot decrypt them. The hacker can "theoretically" find collision but it is almost impossible with SHA512+HMAC (which web2py uses).
Things are different for the administrator. Nothing prevents the administrator from intercepting the communications and logging the password in a separate file. That is true for ANY application, not just web2py. On Aug 3, 5:11 am, António Ramos <ramstei...@gmail.com> wrote: > hello, > what do i tell in my company to convinve them to use web2py apps without > fearing that i as administrator cannot discover their password? > > Thank you > > António
