using a salt (token in your example) is a bit primitive and vulnerable to cetrain attacks.
Web2py uses hmac+md5 or hmac+sha512. The password can be specified by: auth.settings.hmac_kay='sha512:mypassword' which is passed to the validator CRYPT(hmac_key='....') Massimo The prefix: (sha512) specifies the algorithm. On Jan 4, 6:31 pm, David Bain <[email protected]> wrote: > I'm not sure how passwords are hashed in web2py. If it uses a token, where > is it stored. > > I'm guessing that it uses something like this: > > from hashlib import md5 > > token = 'insecure' > > tokenizedHash = md5(password + token) > > print tokenizedHash.hexdigest()
