Robert Sayre wrote:
Perhaps he means authentication that works with simple forms or basic, but stores the password as sha1(salt + password). The credential would then be stored as username:salt:hexdigest This is fairly standard practice, and provides decent security for casual apps. It's what my app does with authkit set to 'forward'.
Yes, I do mean something along those lines, although I was thinking something more akin to the mechanism by which Unix currently stores encrypted passwords in plain text (if it's still doing so, I know it used to, but the original mechanism is no longer secure, and I believe new mechanisms are now in use). There have been some attacks developed on SHA-1 in recent years, so it would probably need to be at least Tiger-192 or SHA-256. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
