Giovannetti, Mark wrote:
I've been researching authentication and whatnot in Zope 3 and was looking at the password management implementations. I don't like the fact that the SHA1 password manager doesn't use a random salt value when encoding and storing a password. Salts are commonly used in /etc/passwd and friends to eliminate the identification of passwords that are the same among users, as well as to make the brute forcing space a little larger.
Actually I've always thought about z.a.authentication.password as a simple reference implementation which you can use if you don't care much about security. However in production it always preferred to use more secure password managers. I'm not sure we need to apply the proposed patch but rather add note about reference implementation at the top of the z.a.a.password.
-- Dmitry Vasiliev <dima at hlabs.spb.ru> http://hlabs.spb.ru _______________________________________________ Zope3-dev mailing list Zope3email@example.com Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com