On Wed, Feb 18, 2009 at 20:45, Ben Bangert <[email protected]> wrote: > On Feb 18, 2009, at 7:26 AM, [email protected] wrote: > > Can you help me to provide Advanced Homegrown Auth with mysql md5 >> support (passwords in users.password table). Probably sources or >> etc... i'm beginner in pylons and can't understand way to build using >> this article >> http://wiki.pylonshq.com/display/pylonscookbook/Advanced+Homegrown+Auth >> > > Note that you don't want to merely md5 the users password with a private > salt as that still enables rainbow table attacks ( > http://en.wikipedia.org/wiki/Rainbow_table). This is because you should > generally assume that it might be possible for an attacker to get both the > db contents, and your private salt. The generally recommended approach is to > instead generate a random salt for each user, and store it with the hashed > password. As md5 isn't very good nowadays due to its collision space, SHA is > usually recommended. > > I store the unique salt as the first 40 characters, and the hashed value as > the second 40. Here are the functions I use to do this in the PylonsHQ site: > http://bitbucket.org/bbangert/kai/src/tip/kai/model/human.py#cl-68 >
I came across the following custom property for sqlalchemy on the sqlalchemy mailing list: http://www.sqlalchemy.org/trac/wiki/UsageRecipes/HashProperty This seems to do the things you mentioned nicely integrated with sqlalchemy. Haven't tried it myself yet though. Regards, Michael > > Cheers, > Ben --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
