[Grok-dev] Setting the admin password

Uli Fouquet uli at gnufix.de
Fri Jan 9 08:18:25 EST 2009

Hi there,

there is still an open issue in the bugtracker concerning the encryption
and setting of admin passwords for grokprojects (see

The security problem here is that passwords are stored as plain text in
buildout.cfg/site.zcml. It would be a minor change to store the password
SHA1-encrypted. This would be step one.

But, as Martijn already stated, we might also need a solution then that
allows admins to set/change the password afterwards, maybe similar to
the Zope2 ``zpasswd`` utility, because the encryption works one-way only
and it needs (hopefully) brute forces to recover the plain text password
from the encrypted form.

For now I think a separate commandline tool (possibly called ``zpasswd``
as well) would help, that could be used like so::

  MyGrokproject $ ./bin/zpasswd mgr
  Setting password for mgr
  Enter new password: 
  Retype new password:
  Password set. Restart your instance to make it active.

This functionality might also be provided as an external recipe.

I would like to collect your ideas and suggestions in that matter, so,
what do you think?

Best regards,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/grok-dev/attachments/20090109/78c47bc9/attachment.bin 

More information about the Grok-dev mailing list