Now I get the point! Thank you very much Jonathan. Marco Sent from my iPad
> On 26/nov/2013, at 16:41, Jonathan Lundell <[email protected]> wrote: > >> On 26 Nov 2013, at 2:05 AM, Mchurch <[email protected]> wrote: >> >> Dear all, I'm a little bit lost with Crypto method. >> I need authentication from a mobile app towards web2py. >> If I'm not in wrong, web2py now uses sha512 as default to crypt auth user >> password. >> From my iOS app I'm sending the password encrypted with the same Hash >> Algorithm sha512, because I don't want to send the password clear through >> the net >> From web2py console I can do: >> >> b='sha512$$83d97b71499bee6b9d42dee9d3a6e5d00ecc8c891346d25d1909b3aac9abaa0ad4864fe4eacf159cd3f4a0ad764178d014ac378dfffc5e4023f6dbcfb0992648' >> >> where b is exactly my mobile password string that I'm sending to web2py >> trough "Json" >> >>>>> b >> >> 'sha512$$83d97b71499bee6b9d42dee9d3a6e5d00ecc8c891346d25d1909b3aac9abaa0ad4864fe4eacf159cd3f4a0ad764178d014ac378dfffc5e4023f6dbcfb0992648' >> >> >>>>> a= CRYPT(digest_alg='sha512',salt=False)('pippo')[0] >> >> now ,if I do a==b, it returns True >> >> The problem is that I'm not able to compare auth.user password with my >> mobile password! >> >> Both are encrypted, with the same algorithm, but auth.login_bare(user,psw) >> returns alway false because it wants clear-password >> >> The solution to me appears that I have to compare the two encrypted >> password, but may be on the wrong way. >> >> Help please... > > Briefly: you don't want to do that. > > Why? In the scheme you propose, the hash effective becomes the password, and > is stored as-if unhashed in the database, to be compared directly with what > comes in over the wire. So if your database is compromised, the attacker can > log into any account simply by presenting the password (hash) stored in the > database. Compare that to the usual method, where the user transmits the > password: the point of the hash is that the password cannot be > reverse-engineered from the hash (if it's a good password!). > > Protecting the password in flight is easy enough: use https. > > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the Google > Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/tgIBbxzUBSA/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
