Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2289 (closed enhancement: fixed)

Opened 10 years ago

Last modified 9 years ago

Don't transmit cleartext passwords over the network

Reported by: pitrou Owned by:
Priority: low Milestone: 2.1rc1
Component: TurboGears Version: 2.0b7
Severity: normal Keywords:


Current login forms created by TurboGears transmit the password as a normal, cleartext form parameter. It would not be that difficult to remove cleartext transmission by using an e.g. SHA1 implementation written in Javascript (there are some on the Internet). I did it years ago (using MD5 at the time) for a PHP-written CMS. It doesn't defeat all kinds of attacks (man in the middle could only be protected against through HTTPS) but at least the passwords can't be sniffed.

However, a more annoying problem would be deciding when the hashed password is sufficient and when the cleartext password is really needed for authentication (the default database-backed authentication scheme only needs the hashed password, but other auth schemes like LDAP could need the cleartext password).

Change History

comment:1 follow-up: ↓ 2 Changed 10 years ago by percious

I think this is application-specific and should not be part of the core. Use HTTPs if you want password protection.


comment:2 in reply to: ↑ 1 Changed 10 years ago by pitrou

Replying to percious:

I think this is application-specific and should not be part of the core.

Are you kidding? If hashing passwords is application-specific, then why are the passwords hashed in the database by default?

Use HTTPs if you want password protection.

This is grotesque. HTTPS needs many more resources than a simple password hashing scheme.

comment:3 Changed 10 years ago by mramm

  • Status changed from new to closed
  • Resolution set to fixed

Looks like paul johnson is implementing something like this for repoze.who/what so we'll eventually use what he's done for people who need this.

though I think it's reasonable to do SSL for login pages, and that's is likely to continue to be the recommended default.

comment:4 Changed 9 years ago by percious

  • Milestone changed from 2.1 to 2.1rc1
Note: See TracTickets for help on using tickets.