Giovannetti, Mark wrote:
I've been researching authentication and whatnot in Zope 3
and was looking at the password management implementations.
I don't like the fact that the SHA1 password manager
doesn't use a random salt value when encoding and storing
a password. Salts are commonly used in /etc/passwd and
friends to eliminate the identification of passwords that
are the same among users, as well as to make the brute
forcing space a little larger.
Actually I've always thought about z.a.authentication.password as a
simple reference implementation which you can use if you don't care much
about security. However in production it always preferred to use more
secure password managers. I'm not sure we need to apply the proposed
patch but rather add note about reference implementation at the top of
Dmitry Vasiliev <dima at hlabs.spb.ru>
Zope3-dev mailing list