Kless schrieb: > I've seen that TG2 creates a model for identity with md5 and sha1 > hash algorithms. > > Since several years ago is known that those algorithms have collision > weaknesses, and they aren't secure neither using . There are many > information about this. > > Please, change them to any more secure as SHA2, and that it's possible > of use on python 2.5 [1]
We can't use a function that's only available in Python 2.5 by default, since we are committed to supporting Python 2.4 in TG >1.0 and TG2 as well. we could include this hashing algorithm as an alternative though or provide out own implementation of it. Do you have one? Anyway, how would an attack based on these weaknesses actually work? a collision, AFAIK, means that two plain-text messages can produce the same hash. Since the hashing functions are used for encrypting (or rather hashing) passwords, this means that there is the possibility that two passwords would lead to the same hash. Which, in the worst case may mean that the chances of beraking the password by brute force are halved, am I right? Does not sound so serious, IMHO. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
