Re: [Django Code] #5600: Patch to enhance cryptography on django.contrib.auth

Tue, 25 Sep 2007 16:43:16 -0700 

#5600: Patch to enhance cryptography on django.contrib.auth
--------------------------------+-------------------------------------------
   Reporter:  petrilli          |                Owner:  nobody                
     Status:  new               |            Component:  Contrib apps          
    Version:  SVN               |           Resolution:                        
   Keywords:  auth user crypto  |                Stage:  Design decision needed
  Has_patch:  1                 |           Needs_docs:  0                     
Needs_tests:  1                 |   Needs_better_patch:  0                     
--------------------------------+-------------------------------------------
Comment (by ubernostrum):

 Please be careful with your terminology here: it's true that the ''salt''
 is selected from a space of 16^5^, but the eventual ''hash'' comes from a
 space of 16^40^, and the size of that space does not decrease if there's a
 collision in salts. The only way that identical ''hashes'' come up is if
 two users select identical plaintext passwords and also get a hash
 collision (which is something to be solved by password policies) or if an
 attacker manages to obtain the salt and the hash and generate a second
 string which causes a collision (and the stat I've seen for that is 2^69^,
 not 2^63^, and the resources needed to do it in reasonable times are still
 such that it's not practically feasible for the overwhelming majority of
 attack scenarios; generating rainbow tables from a suitable dictionary is
 likely to be a much more efficient use of the average attacker's time and
 is unaffected, as far as I can tell, by what you're proposing).

 On the whole I'm happy with the idea of allowing more options for hashing
 and for expanding the space from which salts are selected, but again:
 please be very careful in how you describe this: There's a lot of
 misunderstanding about this stuff, and throwing in confused/confusing
 assertions doesn't help any.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/5600#comment:3>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to