Hi Dan,

thanks for your quick response.

Dan Korostelev wrote:
> Yeah, that's definetely a mistake! The hash needs to be generated
> using both salt and password.
> 
> Also, I saw a technique when you generate a hash using double hashing,
> like this: sha(sha(password) + salt).hexdigest(). It looks even more
> secure :)

Hm, not sure. Building the hash of a hash doesn't give a more equal
distribution, does it? Therefore it doesn't look 'more secure' to me.

A dictionary-attacker could simply generate the list of hashes by using
hash(hash(dict_entry)) instead of hash(dict_entry). That wouldn't cost
much.

A brute force-attacker would also have no extra-work, because a hashed
'password' is as difficult to crack as hashed 'hash(password)' in
brute-force-attacks.

I might be wrong here.

Using a better hash-algorithm instead, as Shane proposed, could really
improve security IMHO. At least it should be supported by the standard
password managers in zope.app.authentication.

> BTW, to fix it, we need to remember about migration of already stored
> hashes. I guess zope.app.generations will do the job.

Yep, that's important and could cause trouble. Already stored passwords
could become invalid if we don't care for them and this could also be a
problem with generations, as here not only pure code would be concerned
but also data stored in the configuration.

Best regards,

-- 
Uli

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to