Re: AuthKit: support for encrypted passwords
Hi Josh, Josh Heitzman wrote: I dug around a bit. What Unix systems used to was called crypt. Some are currently a salt + MD5, but apparently the better algorithm is considered to be bcrypt, which includes a 128-bit salt and uses are variable cycle encryption algorithm. A python implementation of bcrypt can be had here http://www.mindrot.org/projects/py-bcrypt, but pehaps all AuthKit needs a mechanism for the client to specify a function it should call to compare a submitted password to a stored password. By default AuthKit would supply a function that just did a straight comparison, keeping the default behavior as it is now, but allowing the client to override that with whatever password encryption scheme they prefer. Sound reasonable? This already exists actually. You just need to specify a custom valid_password() function (or digest_password() if you are using HTTP digest). It is documented here: http://authkit.org/docs/manual.html#basic-http-1-0-authentication Since you mentioned bcrypt, here's an example I expect would work: from authkit.authenticate import middleware, test_app import bcrypt def valid(environ, username, password): if not environ.has_key('authkit.users'): raise Exception(You haven't setup any users) users = environ['authkit.users'] if users.passwords.has_key(username.lower()): hashed = users.passwords[username.lower()] return bcrypt.hashpw(password, hashed) == hashed return False app = middleware( test_app, method='basic', realm='Test Realm', users_valid=valid ) from paste.httpserver import serve serve(app, host='0.0.0.0', port=8080) Cheers, James --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups pylons-discuss group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~--~~~~--~~--~--~---
Re: AuthKit: support for encrypted passwords
On Feb 1, 7:09 am, James Gardner [EMAIL PROTECTED] wrote: This already exists actually. You just need to specify a custom valid_password() function (or digest_password() if you are using HTTP digest). It is documented here:http://authkit.org/docs/manual.html#basic-http-1-0-authentication Thanks James! I missed that my first time through the docs. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups pylons-discuss group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~--~~~~--~~--~--~---
Re: AuthKit: support for encrypted passwords
On 1/17/07, James Gardner [EMAIL PROTECTED] wrote: Hi Josh, It does HTTP digest authentication. What exactly did you have in mind? Perhaps he means authentication that works with simple forms or basic, but stores the password as sha1(salt + password). The credential would then be stored as username:salt:hexdigest This is fairly standard practice, and provides decent security for casual apps. It's what my app does with authkit set to 'forward'. -- Robert Sayre --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups pylons-discuss group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~--~~~~--~~--~--~---
Re: AuthKit: support for encrypted passwords
Robert Sayre wrote: Perhaps he means authentication that works with simple forms or basic, but stores the password as sha1(salt + password). The credential would then be stored as username:salt:hexdigest This is fairly standard practice, and provides decent security for casual apps. It's what my app does with authkit set to 'forward'. Yes, I do mean something along those lines, although I was thinking something more akin to the mechanism by which Unix currently stores encrypted passwords in plain text (if it's still doing so, I know it used to, but the original mechanism is no longer secure, and I believe new mechanisms are now in use). There have been some attacks developed on SHA-1 in recent years, so it would probably need to be at least Tiger-192 or SHA-256. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups pylons-discuss group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~--~~~~--~~--~--~---
Re: AuthKit: support for encrypted passwords
I dug around a bit. What Unix systems used to was called crypt. Some are currently a salt + MD5, but apparently the better algorithm is considered to be bcrypt, which includes a 128-bit salt and uses are variable cycle encryption algorithm. A python implementation of bcrypt can be had here http://www.mindrot.org/projects/py-bcrypt, but pehaps all AuthKit needs a mechanism for the client to specify a function it should call to compare a submitted password to a stored password. By default AuthKit would supply a function that just did a straight comparison, keeping the default behavior as it is now, but allowing the client to override that with whatever password encryption scheme they prefer. Sound reasonable? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups pylons-discuss group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~--~~~~--~~--~--~---