-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, you don't have to do that.
Here's an article on why bcrypt should be used: http://codahale.com/how-to-safely-store-a-password/ Mike Orr <[email protected]> writes: > On Mon, Apr 25, 2011 at 8:33 AM, Parnell Springmeyer <[email protected]> > wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I second this - use /bcrypt/ /bcrypt/ /bcrypt/. py-bcrypt is a great >> python package for it. >> >> Daniel Holth <[email protected]> writes: >> >>> You should consider using a secure password hash in your users table. >>> Right now if two users in your template choose the same password they >>> will get the same hashed password. > > So the user table has both a 'password' and 'salt' field? How much > does it really matter if two people have the same real password and > encrypted password? They would have to break into the computer and > download the user table to determine that this is the case, or try > their own password against all other users (after somehow determining > the other usernames). But the chance of somebody else choosing the > same password as the attacker is infinitesimably small, unless the > other user chose a weak password, in which case a dictionary attack > would be just as effective and more convenient. > > -- > Mike Orr <[email protected]> - -- Parnell "ixmatus" Springmeyer (http://ixmat.us) -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJNtcfaAAoJEPvtlbpI1POLzMwIAJRRvM+yeqrutGW2LpY5alj5 /xdck7cr5gE8GGOCUkC2lYzbhp3Zjlt71fvytcCs/xvJ1FhB1RNU4oB0s2Sd77zN 5vKvqcH5uuVx0xwjxNle+z1VufS3VJv9uU4gX+B9zvKP4hs3HCytRh8DXZslW3sF Sv+LkM5Voxj9kijHGg4vCwhWMny7GYzhoSn10RyMVt62oB6HfiwAIWpF9UTeTnnG 9kewYMZbtf7JCxZhkF/n4F1+wCt7KyOcJrDHxdP7MbKtDYxNFW1cbgNKD7G2xMmJ N0W8INwjfBNwnMev6Xy4+CGt9WVk4b8DnW3FY5MFylg+5ZDGXK5FNvCZBOr5KFc= =ujdB -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
