On Jul 2, 1:27 pm, Kless <[EMAIL PROTECTED]> wrote: > I've seen that TG2 creates a model for identity with md5 and sha1 > hash algorithms. > > Since several years ago is known that those algorithms have collision > weaknesses, and they aren't secure neither using . There are many > information about this. > > Please, change them to any more secure as SHA2, and that it's possible > of use on python 2.5 [1] > >
I think "not secure" is overselling the weakness. From wikipedia: http://en.wikipedia.org/wiki/SHA1 In terms of practical security, a major concern about these new attacks is that they might pave the way to more efficient ones. Whether this is the case has yet to be seen, but a migration to stronger hashes is believed to be prudent. Some of the applications that use cryptographic hashes, such as password storage, are only minimally affected by a collision attack. Constructing a password that works for a given account requires a preimage attack, as well as access to the hash of the original password (typically in the shadow file) which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. Not saying that a stronger hash is a bad thing, but that the existing implementation is still pretty good for its intended purpose. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
