The 'framework' used was based on ZOPE but very customized.
The encryption procedure was pretty much like this :
def hash_password(password)
> salt = u"web2$#py"
> password = password + salt
> password = password.encode('utf-8')
> return hashlib.sha256(password).hexdigest()
So what I got in DB are strings made with the above function and I'm trying
to migrate these to web2py.
I tried :
db.auth_user.password.requires = CRYPT(digest_alg='sha256', salt='web2$#py')
But it doesn't work.
Same goes if I try to create a new auth_user with the above crypt validator
: the salted password gets properly recorded but CRYPT() doesn't validate
if I input the right password (I used the shell).
That's why I guessed there may be something wrong with '$' in the salt.
On Sunday, April 13, 2014 5:52:06 PM UTC+2, Massimo Di Pierro wrote:
>
> The problem is not really that you use $ in salt. The probably is that
> web2py and the framework you moved from must have different conventions for
> storing the salt. We use 'alg$salt$pwd'. What do they use? What is the
> framework? If we know we can convert it.
>
>
> On Friday, 11 April 2014 08:38:38 UTC-5, Louis Amon wrote:
>>
>> I'm trying to migrate from another framework to web2py but can't make any
>> of the previous user accounts work : passwords don't match even tho I have
>> the correct salt and algorithm.
>>
>> After much research, I think the issue is in the way web2py stores
>> passwords : 'alg$salt$pwd'
>>
>>
>> My salt uses the character '$' so I guess the regex goes wrong because of
>> that.
>>
>> It's a big issue for me because not being able to seamlessly plug to my
>> database means I'd have to ask all my users to enter a new password.
>>
>>
>> Any solution/advice ?
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
