Ok I was confused because the books says ( http://www.web2py.com/book/default/chapter/09#Settings-and-messages)
The following is a very important setting: auth.settings.hmac_key = None It must be set to something like "sha512:a-pass-phrase" and it will be passed to the CRYPT validator for the "password" field of the auth_usertable. It will be the algorithm and a-pass-phrase used to hash the passwords. Do you think the book should be modified to reflect that this is automatically done already? I see in a different section it says: The password field of the db.auth_user table defaults to a CRYPT validator, which needs and hmac_key. On legacy web2py applications you may see an extra argument passed to the Auth constructor: hmac_key = Auth.get_or_create_key(). The latter is a function that read the HMAC key from a file "private/auth.key" within the application folder. If the file does not exist it creates a random hmac_key. If multiple apps share the same auth database, make sure they also use the same hmac_key. This is no longer necessary for new applications since passwords are salted with an individual random salt. But it wasn't clear to me whether I should set it or not as the two sections kind of go against each other. On Thursday, January 30, 2014 8:42:37 AM UTC-5, Massimo Di Pierro wrote: > This is really not necessary since we automatically salt and hash all > passwords. > > On Tuesday, 28 January 2014 17:04:37 UTC-6, User wrote: > >> Is best practice to set >> auth.settings.hmac_key='sha512:somelongpassword'? Or is this not >> necessary? And if I should do it, does it need to be done before >> auth.define_tables? >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.