It should be modified.
On Thursday, 30 January 2014 11:35:08 UTC-6, User wrote: > > Ok I was confused because the books says ( > http://www.web2py.com/book/default/chapter/09#Settings-and-messages) > > The following is a very important setting: > > auth.settings.hmac_key = None > > It must be set to something like "sha512:a-pass-phrase" and it will be > passed to the CRYPT validator for the "password" field of the auth_usertable. > It will be the algorithm and a-pass-phrase used to hash the > passwords. > > Do you think the book should be modified to reflect that this is > automatically done already? > > I see in a different section it says: > > The password field of the db.auth_user table defaults to a CRYPTvalidator, > which needs and > hmac_key. On legacy web2py applications you may see an extra argument > passed to the Auth constructor: hmac_key = Auth.get_or_create_key(). The > latter is a function that read the HMAC key from a file "private/auth.key" > within the application folder. If the file does not exist it creates a > random hmac_key. If multiple apps share the same auth database, make sure > they also use the same hmac_key. This is no longer necessary for new > applications since passwords are salted with an individual random salt. > > But it wasn't clear to me whether I should set it or not as the two > sections kind of go against each other. > > On Thursday, January 30, 2014 8:42:37 AM UTC-5, Massimo Di Pierro wrote: > >> This is really not necessary since we automatically salt and hash all >> passwords. >> >> On Tuesday, 28 January 2014 17:04:37 UTC-6, User wrote: >> >>> Is best practice to set >>> auth.settings.hmac_key='sha512:somelongpassword'? Or is this not >>> necessary? And if I should do it, does it need to be done before >>> auth.define_tables? >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
