Hi, I've been researching authentication and whatnot in Zope 3 and was looking at the password management implementations. I don't like the fact that the SHA1 password manager doesn't use a random salt value when encoding and storing a password. Salts are commonly used in /etc/passwd and friends to eliminate the identification of passwords that are the same among users, as well as to make the brute forcing space a little larger.
Here is a unified diff that adds 32 bits of salt to the SHA1 password storage mechanism. The same may be done for md5, but its use is falling out of favour, so I didn't bother. What else do I need to do to contribute this change? Have I missed anything? Regards, Mark zope# diff -u password.py.dist password.py --- password.py.dist Tue Oct 24 04:21:55 2006 +++ password.py Fri Apr 20 14:21:31 2007 @@ -13,12 +13,13 @@ ############################################################################## """Password managers -$Id: password.py 70897 2006-10-24 08:21:55Z flox $ +$Id$ """ __docformat__ = 'restructuredtext' import md5 import sha +import random from zope.interface import implements, classProvides from zope.schema.interfaces import IVocabularyFactory @@ -85,19 +86,34 @@ >>> verifyObject(IPasswordManager, manager) True - >>> encoded = manager.encodePassword("password") + >>> encoded = manager.encodePassword("password", salt='') >>> encoded '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8' >>> manager.checkPassword(encoded, "password") True >>> manager.checkPassword(encoded, "bad") False + + >>> encoded = manager.encodePassword("password") + >>> manager.checkPassword(encoded, "password") + True + >>> manager.checkPassword(encoded, "bad") + False """ implements(IPasswordManager) - def encodePassword(self, password): - return sha.new(password).hexdigest() + def encodePassword(self, password, salt=None): + if salt is None: + salt = '%x' % random.randrange(1, 2**32-1) + return salt + sha.new(salt+password).hexdigest() + + def checkPassword(self, storedPassword, password): + if len(storedPassword) == 48: + salt = storedPassword[0:8] + else: + salt = '' + return storedPassword == self.encodePassword(password, salt) # Simple registry used by mkzopeinstance script managers = [
_______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com