Giovannetti, Mark wrote:
I've been researching authentication and whatnot in Zope 3
and was looking at the password management implementations.
I don't like the fact that the SHA1 password manager
doesn't use a random salt value when encoding and storing
a password.  Salts are commonly used in /etc/passwd and
friends to eliminate the identification of passwords that
are the same among users, as well as to make the brute
forcing space a little larger.

Actually I've always thought about z.a.authentication.password as a simple reference implementation which you can use if you don't care much about security. However in production it always preferred to use more secure password managers. I'm not sure we need to apply the proposed patch but rather add note about reference implementation at the top of the z.a.a.password.

Dmitry Vasiliev <dima at>
Zope3-dev mailing list

Reply via email to