Hi there,
Shane Hathaway wrote:
Uli Fouquet wrote:
[snip]
Any reviews by the more competent gurus in the list are highly
appreciated.
Your implementation and docs look fine to me.
Thanks for reviewing! It's all in trunk now.
The only comment I have
is I wonder why this is
Hi there,
Shane Hathaway wrote:
Uli Fouquet wrote:
Shane Hathaway wrote:
http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737view=markup
Is there some recent documentation about SSHA available? The netscape
links seems to be down.
I'm not sure where to
Shane Hathaway wrote:
[snip]
Also, every encrypted password should have a scheme name prefix in curly
braces, such as {SSHA}, as discussed earlier in this thread. That
makes it possible to support multiple schemes in a single database,
which is essential for migration to new schemes.
+1
Hi there,
thanks for all input so far :-)
Martijn Faassen wrote:
Shane Hathaway wrote:
[snip]
Also, every encrypted password should have a scheme name prefix in curly
braces, such as {SSHA}, as discussed earlier in this thread. That
makes it possible to support multiple schemes in a
Uli Fouquet wrote:
Ok. I'll put something into the zope.app.authentication branches for
review.
Great!
Two remaining questions: I would like to use `os.urandom` instead of
`random.randint` to create the salt, because this is recommended in
cryptographic contexts. There was, however, a
Uli Fouquet wrote:
Do we need a SMD5-manager as well (same as SSHA, only with MD5 instead
of SHA1 as hash algorithm)?
I doubt it.
Any reviews by the more competent gurus in the list are highly
appreciated.
Your implementation and docs look fine to me. The only comment I have
is I wonder
Shane Hathaway wrote:
Uli Fouquet wrote:
while working on a password manager tool (commandline) for Grok I
stumbled over the usage of salts in the password managers of
`zope.app.authentication`.
In short, they seem to generate (and store) a salt number but do not
make any use of it when it
Hi there,
Shane Hathaway wrote:
We should really be using the SSHA standard (as defined by LDAP) as a
minimum. SSHA was the default in Zope 2, but someone forgot to bring
this code over to Zope 3.
Martijn Faassen wrote:
Shane Hathaway wrote:
We should really be using the SSHA standard (as defined by LDAP) as a
minimum. SSHA was the default in Zope 2, but someone forgot to bring
this code over to Zope 3.
Uli Fouquet wrote:
Shane Hathaway wrote:
http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737view=markup
Is there some recent documentation about SSHA available? The netscape
links seems to be down.
I'm not sure where to find that documentation now (Mozilla
Uli Fouquet wrote:
Is there some recent documentation about SSHA available? The netscape
links seems to be down.
I finally found a good source. Look at the Python code at the bottom of
this page:
http://www.openldap.org/faq/data/cache/347.html
Shane
Hi there,
Uli Fouquet wrote:
I'd be glad to provide a fix for this, but I am undecided how we could
support administrators best to upgrade their password bases.
I'm speaking here mostly from a position of ignorance of these affairs,
but is it possible to upgrade the current passwords to a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martijn Faassen wrote:
Hi there,
Uli Fouquet wrote:
I'd be glad to provide a fix for this, but I am undecided how we could
support administrators best to upgrade their password bases.
I'm speaking here mostly from a position of ignorance of
Hi there,
to answer myself ;-)
Uli Fouquet wrote:
Dan Korostelev wrote:
Yeah, that's definetely a mistake! The hash needs to be generated
using both salt and password.
[snip]
BTW, to fix it, we need to remember about migration of already stored
hashes. I guess zope.app.generations
Yeah, that's definetely a mistake! The hash needs to be generated
using both salt and password.
Also, I saw a technique when you generate a hash using double hashing,
like this: sha(sha(password) + salt).hexdigest(). It looks even more
secure :)
BTW, to fix it, we need to remember about
Previously Dan Korostelev wrote:
Yeah, that's definetely a mistake! The hash needs to be generated
using both salt and password.
Also, I saw a technique when you generate a hash using double hashing,
like this: sha(sha(password) + salt).hexdigest(). It looks even more
secure :)
Why would
Uli Fouquet wrote:
while working on a password manager tool (commandline) for Grok I
stumbled over the usage of salts in the password managers of
`zope.app.authentication`.
In short, they seem to generate (and store) a salt number but do not
make any use of it when it comes to creating the
Hi Dan,
thanks for your quick response.
Dan Korostelev wrote:
Yeah, that's definetely a mistake! The hash needs to be generated
using both salt and password.
Also, I saw a technique when you generate a hash using double hashing,
like this: sha(sha(password) + salt).hexdigest(). It looks
Previously Uli Fouquet wrote:
Hi Dan,
thanks for your quick response.
Dan Korostelev wrote:
Yeah, that's definetely a mistake! The hash needs to be generated
using both salt and password.
Also, I saw a technique when you generate a hash using double hashing,
like this:
19 matches
Mail list logo
