Your timing is interesting, I'm just about to submit a patch to
If you use random per-user salts, which is the common approach, JS
hashing requires an Ajax request at login. Not an enormous problem,
but not ideal either.
If the salt is hmac_sha1(master_salt, user_name) or some variant of
this, you get the same benefits of salting, but avoid the ajax request
at login. master_salt is a site-specific value.
>> So, I've finished it off and submitted the patch to issue 85:
Repoze-dev mailing list