On Tue, Nov 19, 2013 at 8:48 PM, Erik van Zijst <[email protected]> wrote: > You make a good point. > > An obvious fix would seem to be to add the username to the cache key. This > way users cannot "use" another user's cache entry.
right, that would fix it. (i guess, i'm no security expert) but still you get only SHA1-level strength, when the whole idea was to switch to stronger crypto. if in your case SHA1 is enough, you can simply keep using it. if it's not enough, then you shouldn't be using it. of course, that's easy for me to say; i don't manage a big site like yours, so the switch to PBKDF2 doesn't cost me a cent. i wonder if siphash is strong enough for paswords... -- Javier -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFkDaoSRRWFq6zNmYMtSOzPeTuoRQFN7ZbF72f5xeLda%3DQSG%3Dw%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
