Paul Johnston wrote:
> By default, passwords are stored in the database without a salt. Usual
> practice is to use a salt, to make things harder for an attacker, just
> in case your password database is captured. The scheme I favor is
> storing hmac_sha1(hmac_sha1(master_salt, user_name), password).
> master_salt is a per-site value.
The SSHA algorithm, used by default in Open LDAP, stores something
simpler and just as secure AFAICT:
(sha1(password, random_salt), random_salt)
It seems better to use a standard algorithm and not keep track of a
LDAP also provides a standard way to allow multiple password hashing
schemes to coexist in a database. Every password is prefixed with the
scheme name in curly brackets. So a typical password would look like:
I suggest repoze.who plugins, particularly the ZODB plugin, ought to
adopt these standards.
Repoze-dev mailing list