Uli Fouquet wrote: > while working on a password manager tool (commandline) for Grok I > stumbled over the usage of salts in the password managers of > `zope.app.authentication`. > > In short, they seem to generate (and store) a salt number but do not > make any use of it when it comes to creating the hashes (SHA1, MD5, > whatever). As a result, same passwords lead always to same hashes, only > the leading salt number is different. This could be exploited by > dictionary attacks.
We should really be using the SSHA standard (as defined by LDAP) as a minimum. SSHA was the default in Zope 2, but someone forgot to bring this code over to Zope 3. http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup A SHA-256 version of the algorithm would also be useful since cryptography experts expect SHA-1 to be vulnerable soon. Shane _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )