On Mon, Apr 25, 2011 at 8:33 AM, Parnell Springmeyer <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I second this - use /bcrypt/ /bcrypt/ /bcrypt/. py-bcrypt is a great > python package for it. > > Daniel Holth <[email protected]> writes: > >> You should consider using a secure password hash in your users table. >> Right now if two users in your template choose the same password they >> will get the same hashed password.
So the user table has both a 'password' and 'salt' field? How much does it really matter if two people have the same real password and encrypted password? They would have to break into the computer and download the user table to determine that this is the case, or try their own password against all other users (after somehow determining the other usernames). But the chance of somebody else choosing the same password as the attacker is infinitesimably small, unless the other user chose a weak password, in which case a dictionary attack would be just as effective and more convenient. -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
