I am going to have a go at adding a new authentication method to
repoze.who. It's like the standard forms authentication, but uses
JavaScript hashing to protect the password as it is transmitted.

There's information about the scripts here, explaining how the system
works, how it avoids replay attacks, copes with js being disabled,
ensures that the password is protected when stored on the server, and
why SHA1/MD5 are ok to use, despite the more recent weaknesses.

I know many people are using my scripts, so I think this would be a
good feature for repoze.who. I've not used repoze.who so far, so lets
see how I get on. If anyone would like to lend a hand, just let me

Repoze-dev mailing list

Reply via email to