On Saturday 28 June 2008 21:48:24 Simon Willison wrote: > A further micro-optimisation is to leave out the hyphen entirely, > since an SHA-1 hash is always 40 characters long (we should > probably use that instead of MD5).
MD5 is 8 chars shorter. Do we really need SHA-1? If I understand correctly, the only known vulnerability with MD5 is the ability to force collisions, but that will not help an attacker in this case. The only thing that an attacker can influence at all in the string being hashed is the timestamp, and it is limited to a few chars. Your base36 stuff etc. all sounds good. I implemented what has been discussed so far (apart from addition of timestamp) for my own project, with tests. It should be fairly easy to add to the newforms admin branch, but the only problem is knowing how to get some of the URLs without hard-coding them. (e.g. on the final page, you would want to have a link to the log in screen, but I don't know how to calculate that). Regards, Luke -- "I have had a perfectly lovely evening. However, this wasn't it." (Groucho Marx) Luke Plant || http://lukeplant.me.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
