I know next to nothing about this stuff, but yesterday I had to do some stuff with htpasswd and I noticed you can actually use different hash schemes in the same password file (at least I saw a mix of salted and unsalted hashes). Couldn't this be used to solve the compatibility issue? Assuming that you can recognize the hashing scheme from the hash in the table, a new, more secure, algorithm could be added as default and both old and new passwords would keep on working.
This is not as secure as forcing people to retype their password, like Julio suggested, but at least it would make the default install more secure. my 2c On Jul 31, 11:31 am, Jonathan Lundell <[email protected]> wrote: > On Jul 31, 2009, at 8:07 AM, Julio wrote: > > > On Jul 31, 1:19 am, Jonathan Lundell <[email protected]> wrote: > > >> I'm suggesting (sticking with md5 for comparability): > > >> md5(password+random)+random > > >> ...where random is randomly chosen for each new password. > > >> You're suggesting? > > > How can you hash a password with a "random" salt??, the whole purpose > > for the authentication logic is to be able to recreate the hash in > > order to compare against what is stored in the database?, under this > > premise let's scrap the entire hashing issue and just set the > > passwords to str(random.random())[2:] or am I missing something here? > > You're missing something. From my earlier post, you create the > password thus (I've added a separator byte for convenience): > > passwd = "Hello World" > salt = random.randint(1, 1000000).str > hashed_pwd = hashlib.md5(passwd+salt).hexdigest()+":"+salt > > To check the password, retrieve the user's hashed_pwd from the user > db, split it on ":" to retrieve the salt, append it to the password to > be checked, and compare the hash of the result to the hash part of the > split. > > (I've used randint.str as a simple example; in practice you'd use a > more dense representation, and while you're at it you'd use a better > hash than md5.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
