On Fri, Sep 21, 2012 at 1:54 PM, Domen Kožar <do...@dev.si> wrote:
> For generating secrets it's important to discourage usage of random module,
> but use something like:
>
> secret = ''.join('%02x' % ord(x) for x in os.urandom(128))
Great wordpress site! Secrets transmitted in the clear without mandatory SSL.
My apps use a generic key/value settings table and a function to
generate a named secret if it is missing. It is easy.
https://bitbucket.org/dholth/stucco_auth/src/8d5faddc8ff9/stucco_auth/__init__.py#cl-49
128 bytes (1024 bits) is massive overkill. 16 or 32 bytes (128/256
bits) is enough of a secret. 256-bit hashes are enough.
HMAC-SHA256 or HMAC-SHA512 are absolutely unbreakable given that you
maintain the secrecy of the key. 2**128 operations to brute force
minimum. The other attack vector is of course firesheep (capturing the
cookie). If you do plan on losing the secret, by all means rotate it.
I don't think even auth_tkt with md5 is insecure, due to the double
hashing, but it is a good idea to switch to sha256.
There's a mod_auth_hmac if you can read Japanese.
--
You received this message because you are subscribed to the Google Groups
"pylons-devel" group.
To post to this group, send email to pylons-devel@googlegroups.com.
To unsubscribe from this group, send email to
pylons-devel+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-devel?hl=en.
