Shane Hathaway wrote: > Uli Fouquet wrote: >> while working on a password manager tool (commandline) for Grok I >> stumbled over the usage of salts in the password managers of >> `zope.app.authentication`. >> >> In short, they seem to generate (and store) a salt number but do not >> make any use of it when it comes to creating the hashes (SHA1, MD5, >> whatever). As a result, same passwords lead always to same hashes, only >> the leading salt number is different. This could be exploited by >> dictionary attacks. > > We should really be using the SSHA standard (as defined by LDAP) as a > minimum. SSHA was the default in Zope 2, but someone forgot to bring > this code over to Zope 3. > > http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup > > A SHA-256 version of the algorithm would also be useful since > cryptography experts expect SHA-1 to be vulnerable soon.
So perhaps this should be ported over and we should do an announcement that we ask people to use that instead? Regards, Martijn _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )