On Tue, Nov 19, 2013 at 8:48 PM, Erik van Zijst
<[email protected]> wrote:
> You make a good point.
>
> An obvious fix would seem to be to add the username to the cache key. This
> way users cannot "use" another user's cache entry.


right, that would fix it.  (i guess, i'm no security expert)

but still you get only SHA1-level strength, when the whole idea was to
switch to stronger crypto.  if in your case SHA1 is enough, you can
simply keep using it.  if it's not enough, then you shouldn't be using
it.

of course, that's easy for me to say; i don't manage a big site like
yours, so the switch to PBKDF2 doesn't cost me a cent.

i wonder if siphash is strong enough for paswords...

-- 
Javier

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFkDaoSRRWFq6zNmYMtSOzPeTuoRQFN7ZbF72f5xeLda%3DQSG%3Dw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to