Both methods are really flawed and we all know it, adding a "random" flavor to the salt (and storing it somewhere) is no more difficult to "crack" than salting a password with the first, third and fifth letters of the original password for example (or the way I am doing it for that matter),
I believe we all know that MD5 is not the best hashing algorithm, since it only supports 128-bit digest length, the problem is that we are not *encrypting* our passwords, but rather hashing them, python does not provide afaik a good encryption implementation (without the use of 3rd parties), and implementing an encrypting algorithm will surely render web2py incompatible with "earlier" versions. It does not really matter what we "salt" our hashes with, they will always be breakable, period. Now, assuming that we'll continue using MD5(unsalted_passwd), the *truly* only way to "defeat" rainbow table attacks is simple and does not involve breaking backwards compatibility: Use strong passwords, if your password is [myname] [myDOB], you *deserve* to be hacked (I'm kidding of course). Thx, Julio On Jul 31, 8:31 am, Jonathan Lundell <[email protected]> wrote: > You're missing something. From my earlier post, you create the > password thus (I've added a separator byte for convenience): > > passwd = "Hello World" > salt = random.randint(1, 1000000).str > hashed_pwd = hashlib.md5(passwd+salt).hexdigest()+":"+salt > > To check the password, retrieve the user's hashed_pwd from the user > db, split it on ":" to retrieve the salt, append it to the password to > be checked, and compare the hash of the result to the hash part of the > split. > > (I've used randint.str as a simple example; in practice you'd use a > more dense representation, and while you're at it you'd use a better > hash than md5.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
