Agreed. For that reason, I'd just use session authentication policy and TLS
without decompression.
On Fri, Sep 21, 2012 at 8:26 PM, Daniel Holth <dho...@gmail.com> wrote:
> On Fri, Sep 21, 2012 at 1:54 PM, Domen Kožar <do...@dev.si> wrote:
> > For generating secrets it's important to discourage usage of random
> module,
> > but use something like:
> >
> > secret = ''.join('%02x' % ord(x) for x in os.urandom(128))
>
> Great wordpress site! Secrets transmitted in the clear without mandatory
> SSL.
>
> My apps use a generic key/value settings table and a function to
> generate a named secret if it is missing. It is easy.
>
> https://bitbucket.org/dholth/stucco_auth/src/8d5faddc8ff9/stucco_auth/__init__.py#cl-49
>
> 128 bytes (1024 bits) is massive overkill. 16 or 32 bytes (128/256
> bits) is enough of a secret. 256-bit hashes are enough.
>
> HMAC-SHA256 or HMAC-SHA512 are absolutely unbreakable given that you
> maintain the secrecy of the key. 2**128 operations to brute force
> minimum. The other attack vector is of course firesheep (capturing the
> cookie). If you do plan on losing the secret, by all means rotate it.
>
> I don't think even auth_tkt with md5 is insecure, due to the double
> hashing, but it is a good idea to switch to sha256.
>
> There's a mod_auth_hmac if you can read Japanese.
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-devel" group.
> To post to this group, send email to pylons-devel@googlegroups.com.
> To unsubscribe from this group, send email to
> pylons-devel+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pylons-devel?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"pylons-devel" group.
To post to this group, send email to pylons-devel@googlegroups.com.
To unsubscribe from this group, send email to
pylons-devel+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-devel?hl=en.
