Your timing is interesting, I'm just about to submit a patch to
support JavaScript hashing of passwords, which interacts with this.

If you use random per-user salts, which is the common approach, JS
hashing requires an Ajax request at login. Not an enormous problem,
but not ideal either.

If the salt is hmac_sha1(master_salt, user_name) or some variant of
this, you get the same benefits of salting, but avoid the ajax request
at login. master_salt is a site-specific value.


>> So, I've finished it off and submitted the patch to issue 85:
>> http://bugs.repoze.org/issue85
Repoze-dev mailing list

Reply via email to