Hi there,
Shane Hathaway wrote:
> Uli Fouquet wrote:
[snip]
> > Any reviews by the more competent gurus in the list are highly
> > appreciated.
>
> Your implementation and docs look fine to me.
Thanks for reviewing! It's all in trunk now.
> The only comment I have
> is I wonder why this is zo
Uli Fouquet wrote:
> Do we need a SMD5-manager as well (same as SSHA, only with MD5 instead
> of SHA1 as hash algorithm)?
I doubt it.
> Any reviews by the more competent gurus in the list are highly
> appreciated.
Your implementation and docs look fine to me. The only comment I have
is I wonde
Uli Fouquet wrote:
> Ok. I'll put something into the zope.app.authentication branches for
> review.
Great!
> Two remaining questions: I would like to use `os.urandom` instead of
> `random.randint` to create the salt, because this is recommended in
> cryptographic contexts. There was, however, a p
Hi there,
thanks for all input so far :-)
Martijn Faassen wrote:
> Shane Hathaway wrote:
> [snip]
> > Also, every encrypted password should have a scheme name prefix in curly
> > braces, such as "{SSHA}", as discussed earlier in this thread. That
> > makes it possible to support multiple schem
Shane Hathaway wrote:
[snip]
> Also, every encrypted password should have a scheme name prefix in curly
> braces, such as "{SSHA}", as discussed earlier in this thread. That
> makes it possible to support multiple schemes in a single database,
> which is essential for migration to new schemes.
Hi there,
Shane Hathaway wrote:
> Uli Fouquet wrote:
> > Shane Hathaway wrote:
> >> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup
> >
> > Is there some recent documentation about SSHA available? The netscape
> > links seems to be down.
>
> I'm not
Uli Fouquet wrote:
> Is there some recent documentation about SSHA available? The netscape
> links seems to be down.
I finally found a good source. Look at the Python code at the bottom of
this page:
http://www.openldap.org/faq/data/cache/347.html
Shane
___
Uli Fouquet wrote:
> Shane Hathaway wrote:
>> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup
>
> Is there some recent documentation about SSHA available? The netscape
> links seems to be down.
I'm not sure where to find that documentation now (Mozill
Martijn Faassen wrote:
> Shane Hathaway wrote:
>> We should really be using the SSHA standard (as defined by LDAP) as a
>> minimum. SSHA was the default in Zope 2, but someone forgot to bring
>> this code over to Zope 3.
>>
>> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.
Hi there,
Shane Hathaway wrote:
> We should really be using the SSHA standard (as defined by LDAP) as a
> minimum. SSHA was the default in Zope 2, but someone forgot to bring
> this code over to Zope 3.
>
> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view
Shane Hathaway wrote:
> Uli Fouquet wrote:
>> while working on a password manager tool (commandline) for Grok I
>> stumbled over the usage of salts in the password managers of
>> `zope.app.authentication`.
>>
>> In short, they seem to generate (and store) a salt number but do not
>> make any use of
Hi there,
Martijn Faassen wrote:
> Uli Fouquet wrote:
> > I'd be glad to provide a fix for this, but I am undecided how we could
> > support administrators best to upgrade their password bases.
>
> I'm speaking here mostly from a position of ignorance of these affairs,
> but is it possible to u
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martijn Faassen wrote:
> Hi there,
>
> Uli Fouquet wrote:
>> I'd be glad to provide a fix for this, but I am undecided how we could
>> support administrators best to upgrade their password bases.
>
> I'm speaking here mostly from a position of ignora
Hi there,
Uli Fouquet wrote:
> I'd be glad to provide a fix for this, but I am undecided how we could
> support administrators best to upgrade their password bases.
I'm speaking here mostly from a position of ignorance of these affairs,
but is it possible to upgrade the current passwords to a mo
Hi there,
to answer myself ;-)
Uli Fouquet wrote:
> Dan Korostelev wrote:
> > Yeah, that's definetely a mistake! The hash needs to be generated
> > using both salt and password.
> >
[snip]
> > BTW, to fix it, we need to remember about migration of already stored
> > hashes. I guess zope.app.ge
Previously Uli Fouquet wrote:
> Hi Dan,
>
> thanks for your quick response.
>
> Dan Korostelev wrote:
> > Yeah, that's definetely a mistake! The hash needs to be generated
> > using both salt and password.
> >
> > Also, I saw a technique when you generate a hash using double hashing,
> > like th
Hi Dan,
thanks for your quick response.
Dan Korostelev wrote:
> Yeah, that's definetely a mistake! The hash needs to be generated
> using both salt and password.
>
> Also, I saw a technique when you generate a hash using double hashing,
> like this: sha(sha(password) + salt).hexdigest(). It look
Uli Fouquet wrote:
> while working on a password manager tool (commandline) for Grok I
> stumbled over the usage of salts in the password managers of
> `zope.app.authentication`.
>
> In short, they seem to generate (and store) a salt number but do not
> make any use of it when it comes to creating
Previously Dan Korostelev wrote:
> Yeah, that's definetely a mistake! The hash needs to be generated
> using both salt and password.
>
> Also, I saw a technique when you generate a hash using double hashing,
> like this: sha(sha(password) + salt).hexdigest(). It looks even more
> secure :)
Why wo
Yeah, that's definetely a mistake! The hash needs to be generated
using both salt and password.
Also, I saw a technique when you generate a hash using double hashing,
like this: sha(sha(password) + salt).hexdigest(). It looks even more
secure :)
BTW, to fix it, we need to remember about migration
Hi there,
while working on a password manager tool (commandline) for Grok I
stumbled over the usage of salts in the password managers of
`zope.app.authentication`.
In short, they seem to generate (and store) a salt number but do not
make any use of it when it comes to creating the hashes (SHA1, M
21 matches
Mail list logo
