Doug's analysis of the patch is right on, but he doesn't go far enough.

1. The author of the patch clearly thinks that security consists of
sprinkling magic SHA-1 HMAC challenge response pixie dust over the code
in a random fashion.  This means that any revised patch must be viewed
with suspicion.

2. SHA-1 isn't even the recommended flavor of pixie dust anymore.  Use

The right thing to do is have the login over SSL.

The next best thing to do is to use SRP.  It's the only thing that lets
you have secure passwords on the server and secure transmission of
passwords from the client.  There's a Javacsript library available at

Otherwise you have a choice of insecure password storage or insecure
password transmission.

Repoze-dev mailing list

Reply via email to