Hi there,

thanks for all input so far :-)

Martijn Faassen wrote:
> Shane Hathaway wrote:
> [snip]
> > Also, every encrypted password should have a scheme name prefix in curly 
> > braces, such as "{SSHA}", as discussed earlier in this thread.  That 
> > makes it possible to support multiple schemes in a single database, 
> > which is essential for migration to new schemes.
> +1

Such a fix can now be found in the ``ulif-saltfix`` branch of

_New_ passwords are now stored as 



Old passwords, however, are still accepted and correctly verified by the
respective `checkPassword` methods.

I didn't change the faulty salt handling of the SHA1 and MD5 password
manager. Only the prefix is added now. Whoever wants more security,
could use SSHA. Setting a new password (which can in fact be the old
one) should update any old SHA1/MD5 passwords. Note, that these won't be
more secure than the old ones! Only a prefix is added!

Oh, yes, and an SSHA password manager now also exists. Implementation is
based on Reed O'Briens sample on
http://www.openldap.org/faq/data/cache/347.html. Some checks against
passwords generated by `slappasswd` showed, that this SSHA password
manager should be compatible with at least slapd-(SSHA-)passwords.

Do we need a SMD5-manager as well (same as SSHA, only with MD5 instead
of SHA1 as hash algorithm)?

Any reviews by the more competent gurus in the list are highly

Best regards,


Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to