good point. yes.
On Jan 4, 7:13 pm, David Bain <[email protected]> wrote: > So if I'm importing a csv of users into auth_user.password I'd need to > use the same hmac_key to generate the passwords used in the source > csv. > > On Tue, Jan 4, 2011 at 8:10 PM, mdipierro <[email protected]> wrote: > > > using a salt (token in your example) is a bit primitive and vulnerable > > to cetrain attacks. > > > Web2py uses hmac+md5 or hmac+sha512. > > > The password can be specified by: > > > auth.settings.hmac_kay='sha512:mypassword' > > > which is passed to the validator > > > CRYPT(hmac_key='....') > > > Massimo > > > The prefix: (sha512) specifies the algorithm. > > > On Jan 4, 6:31 pm, David Bain <[email protected]> wrote: > > > I'm not sure how passwords are hashed in web2py. If it uses a token, where > > > is it stored. > > > > I'm guessing that it uses something like this: > > > > from hashlib import md5 > > > > token = 'insecure' > > > > tokenizedHash = md5(password + token) > > > > print tokenizedHash.hexdigest() > >
