authentication for seaside

> things i would like to see:
>
> ability to create new accounts.
> send email to validate account.
> send email on forgot password.
> update password.
> update account information (email address, etc)..
>
> if this hasn't been done yet, i wouldn't mind doing it.. i have to do
> it anyway..
>
> thanks!

> is there a separate module i can just install an run with for seaside?
> it seems like this is something that is needed in just about every
> app, but i haven't really seen anything..
>
> things i would like to see:
>
> ability to create new accounts.
> send email to validate account.
> send email on forgot password.
> update password.
> update account information (email address, etc)..
>
> if this hasn't been done yet, i wouldn't mind doing it.. i have to do
> it anyway..
>
> thanks!
>
> --
> ----
> peace,
> sergio
> photographer, journalist, visionary
>
> http://www.CodingForHire.com
> http://www.coffee-black.com
> http://www.painlessfrugality.com
> http://www.twitter.com/sergio_101
> http://www.facebook.com/sergio101
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>

> Regarding consolidation of account login security:
>
> I think it depends on the purpose of the password and the account. If
> the account exists only to separate one user's data from another's,
> then one could argue the password is actually not needed at all; the
> username is enough. If, in contrast, the purpose of the password is
> for security, then the password is a critically important part of
> preventing unauthorized access to the user's information.
>
> Users have for years been using the word "password" and other
> easy-to-guess words as their password and many of these users have
> suffered the consequences. Entrusting the security of all your on-line
> accounts to a single entity, be it Facebook, Twitter, or a national
> government provides a single point of failure for the security of the
> associated accounts. This is the same reason why using the same
> password for multiple accounts is ill-advised.
>
> Passwords are vulnerable not only to on-line hacking, but also to
> theft or hacking from within the organization that maintains and
> verifies the password. I believe the threat from inside the
> password-holding organization is probably as great or greater than the
> threat from outside given the greater level of access those inside the
> organization have.
>
> I have divided my on-line accounts into two groups: those whose
> security is not important because they do not contain any personal
> information, and those whose security is indeed important, such as
> on-line bank accounts and any account containing personal information
> that could lead to identity theft. I use one password for all the
> insecure accounts, and a different password for each of the secure
> accounts. That way if a password is revealed, only one account is
> immediately compromised.
>
> I understand keeping track of many passwords is inconvenient and just
> automatically using one's Facebook login at another site is very
> convenient. Convenience is also the reason why people use the word
> "password" as their password. I, personally, would not use automatic
> Facebook or Twitter login for any but my insecure accounts -- and
> those are almost by definition, the accounts that are not very
> important to me.
>
> I have three friends whose on-line accounts were compromised and who
> lost significant amounts of money and suffered months of continued
> problems recovering from identity theft. These were not rich people.
> This does happen.
>
> I think there is still a place for per-site login and security,
> inconvenient as it may be.
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>

> There are many views on this topic, and most of them are right to a certain extent. I particularly agree with the title of this post http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html and with some parts of the article itself. I've been doing some research recently regarding password storing, why it should be avoided if possible and what you should do if you have no alternativa; maybe these links are helpful to someone else:
>
> http://www.openwall.com/articles/PHP-Users-Passwords
> http://www.securityfocus.com/columnists/388/
> http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
> http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300
> http://www.skrenta.com/2007/08/md5_tutorial.html
> http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
> http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database
> http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
> http://chargen.matasano.com/chargen/2006/4/28/oh-meebo.html
>
> HTH,
>        Andrés
>
>
> Tony Fleig escribió:
>> Regarding consolidation of account login security:
>> I think it depends on the purpose of the password and the account. If
>> the account exists only to separate one user's data from another's,
>> then one could argue the password is actually not needed at all; the
>> username is enough. If, in contrast, the purpose of the password is
>> for security, then the password is a critically important part of
>> preventing unauthorized access to the user's information.
>> Users have for years been using the word "password" and other
>> easy-to-guess words as their password and many of these users have
>> suffered the consequences. Entrusting the security of all your on-line
>> accounts to a single entity, be it Facebook, Twitter, or a national
>> government provides a single point of failure for the security of the
>> associated accounts. This is the same reason why using the same
>> password for multiple accounts is ill-advised.
>> Passwords are vulnerable not only to on-line hacking, but also to
>> theft or hacking from within the organization that maintains and
>> verifies the password. I believe the threat from inside the
>> password-holding organization is probably as great or greater than the
>> threat from outside given the greater level of access those inside the
>> organization have.
>> I have divided my on-line accounts into two groups: those whose
>> security is not important because they do not contain any personal
>> information, and those whose security is indeed important, such as
>> on-line bank accounts and any account containing personal information
>> that could lead to identity theft. I use one password for all the
>> insecure accounts, and a different password for each of the secure
>> accounts. That way if a password is revealed, only one account is
>> immediately compromised.
>> I understand keeping track of many passwords is inconvenient and just
>> automatically using one's Facebook login at another site is very
>> convenient. Convenience is also the reason why people use the word
>> "password" as their password. I, personally, would not use automatic
>> Facebook or Twitter login for any but my insecure accounts -- and
>> those are almost by definition, the accounts that are not very
>> important to me.
>> I have three friends whose on-line accounts were compromised and who
>> lost significant amounts of money and suffered months of continued
>> problems recovering from identity theft. These were not rich people.
>> This does happen.
>> I think there is still a place for per-site login and security,
>> inconvenient as it may be.
>> _______________________________________________
>> seaside mailing list
>> [hidden email]
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

> Message: 3
> Date: Wed, 29 Dec 2010 11:50:04 -0300
> From: andres<[hidden email]>
> Subject: Re: [Seaside] authentication for seaside
> To: Seaside - general discussion<[hidden email]>
> Message-ID:<[hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> There are many views on this topic, and most of them are right to a
> certain extent. I particularly agree with the title of this post
> http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
> and with some parts of the article itself. I've been doing some research
> recently regarding password storing, why it should be avoided if
> possible and what you should do if you have no alternativa; maybe these
> links are helpful to someone else:
>
> http://www.openwall.com/articles/PHP-Users-Passwords
> http://www.securityfocus.com/columnists/388/
> http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
> http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300
> http://www.skrenta.com/2007/08/md5_tutorial.html
> http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
> http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database
> http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
> http://chargen.matasano.com/chargen/2006/4/28/oh-meebo.html
>
> HTH,
>           Andrés

> Good, you're making an application for people (not for enginerds).
>
> The multiple user/passwords problem is a pain for this industry and
> openID and friends are far from the ideal solution.
>
> I'd try to use facebook and twitter accounts as login. Hands down.
>
> I think Andreas Raab has a repo in squeaksource.com
> <http://squeaksource.com> that has clients for those. Maybe you can play
> with those.