Doug's analysis of the patch is right on, but he doesn't go far enough.
1. The author of the patch clearly thinks that security consists of
sprinkling magic SHA-1 HMAC challenge response pixie dust over the code
in a random fashion. This means that any revised patch must be viewed
2. SHA-1 isn't even the recommended flavor of pixie dust anymore. Use
The right thing to do is have the login over SSL.
The next best thing to do is to use SRP. It's the only thing that lets
you have secure passwords on the server and secure transmission of
passwords from the client. There's a Javacsript library available at
Otherwise you have a choice of insecure password storage or insecure
Repoze-dev mailing list