n.b. Gawker Media. Strong password hashes protect your reputation and your
user's accounts on other services when your password database is
compromised. Even if you don't care they are so trivial to implement, why
not use them?
If you are running on a modern Linux distribution all you have to do to get
a good password hash is call os.crypt('password', '$6$' +
base64.b64encode(os.urandom(12), altchars='./')). $6$ (supported prefixes
vary by Unix, see 'man crypt') tells the builtin crypt implementation that
it should use a scheme based on many iterations of SHA512, salted with 12
bytes of random data, to produce a password hash such as:
$6$P7GbB7H2yUevixa.$H8PrVPW.r5zUGykDUW1fK/PTX6QsqvUbYifvFqiPsaFPffCq94KOGLh7rqHTjjOGF0JFgUgHgcbSlI4W9.NbV0
To check the password, assert that os.crypt('password', stored_hash) ==
stored_hash
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
