I was looking into bcrypt[1] support for PAS I found z3c.bcrypt, which implements zope.password compontents (named utilities).
PAS, however, uses Zope2's AccessControl.AuthEncoding module to handle password encryption / hashing schemes. Now, while AuthEncoding certainly supports extending the available schemes, it does need additional glue-code to be able to reuse zope.password components. Moreover, we now have two places to maintain the various hashing and encryption schemes. We should at the very least convert PAS to use zope.password instead of AccessControl.AuthEncoding. With that change it is then at least trivial to support bcrypt as well, you simply install the additional z3c.bcrypt egg and be done with it. But would it make sense to convert Zope2 itself as well? We could make the AuthEncodings module simply a proxy (with deprecation warnings if need be) for zope.password components. Any objections to reworking both AuthEncoding and PAS? -- Martijn Pieters [1] see http://codahale.com/how-to-safely-store-a-password/ and http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )