Hi Dan, thanks for your quick response.
Dan Korostelev wrote: > Yeah, that's definetely a mistake! The hash needs to be generated > using both salt and password. > > Also, I saw a technique when you generate a hash using double hashing, > like this: sha(sha(password) + salt).hexdigest(). It looks even more > secure :) Hm, not sure. Building the hash of a hash doesn't give a more equal distribution, does it? Therefore it doesn't look 'more secure' to me. A dictionary-attacker could simply generate the list of hashes by using hash(hash(dict_entry)) instead of hash(dict_entry). That wouldn't cost much. A brute force-attacker would also have no extra-work, because a hashed 'password' is as difficult to crack as hashed 'hash(password)' in brute-force-attacks. I might be wrong here. Using a better hash-algorithm instead, as Shane proposed, could really improve security IMHO. At least it should be supported by the standard password managers in zope.app.authentication. > BTW, to fix it, we need to remember about migration of already stored > hashes. I guess zope.app.generations will do the job. Yep, that's important and could cause trouble. Already stored passwords could become invalid if we don't care for them and this could also be a problem with generations, as here not only pure code would be concerned but also data stored in the configuration. Best regards, -- Uli
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
