The CRYPT validator is unsecure because it uses unsalted MD5. There are public rainbow tables that have unsalted MD5 passwords of up to 10 characters long including symbols.
I highly recommend that if no "key" is specified, that CRYPT will automatically salt the password based on a substring of the password itself. For example: password = "secretpass" hash = md5(password+password[-1]) This will of course break backward compatibility, but this is a real security vulnerability. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
