On Sun, 2012-09-09 at 06:55 -0700, Florian Rüchel wrote: > I was getting interested in how Pyramid's authentication works and > looked through the commonly used AuthTktAuthenticationPolicy code. I > found out it uses MD5 and the only thing keeping the cookie from being > forged is the secret. > > I see two different issues here: > First, MD5 is already known to have weaknesses and it would be a good > idea to have different algorithms available so they can be set. This > shouldn't be very hard to implement (I can write a patch if you > desire) and it can improve the security of any site. > Second, since everything depends on the single secret, I think it > should be documented better (communicated on at least the docstring > and the documentation) that the secret has to be strong (long, random, > maybe state a minimum length). >
It would be fine by me if we made it possible to change the hashing algorithm. But it probably needs to continue to support md5, because it's purpose is to be compatible with Apache mod_auth_tkt cookies. I would be happy to accept a patch that allowed folks to plug in a different hashing algorithm, and explain to them that if they do, it will no longer be compatible with those cookies. There are also existing options that can help make it stronger regardless of the hash, such as including the IP in the token, IIRC. - C -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com. To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
