On Feb 18, 2009, at 7:26 AM, [email protected] wrote:
Can you help me to provide Advanced Homegrown Auth with mysql md5 support (passwords in users.password table). Probably sources or etc... i'm beginner in pylons and can't understand way to build using this articlehttp://wiki.pylonshq.com/display/pylonscookbook/Advanced+Homegrown +Auth
Note that you don't want to merely md5 the users password with a private salt as that still enables rainbow table attacks (http://en.wikipedia.org/wiki/Rainbow_table ). This is because you should generally assume that it might be possible for an attacker to get both the db contents, and your private salt. The generally recommended approach is to instead generate a random salt for each user, and store it with the hashed password. As md5 isn't very good nowadays due to its collision space, SHA is usually recommended.
I store the unique salt as the first 40 characters, and the hashed value as the second 40. Here are the functions I use to do this in the PylonsHQ site:
http://bitbucket.org/bbangert/kai/src/tip/kai/model/human.py#cl-68 Cheers, Ben
smime.p7s
Description: S/MIME cryptographic signature
