Hi Dimitry,

> -----Original Message-----
> From: Dmitry Vasiliev [mailto:[EMAIL PROTECTED] 
> Giovannetti, Mark wrote:
> > I've been researching authentication and whatnot in Zope 3
> > and was looking at the password management implementations.
> > I don't like the fact that the SHA1 password manager
> > doesn't use a random salt value when encoding and storing
> > a password.  Salts are commonly used in /etc/passwd and
> > friends to eliminate the identification of passwords that
> > are the same among users, as well as to make the brute
> > forcing space a little larger.
> Actually I've always thought about z.a.authentication.password as a 
> simple reference implementation which you can use if you 
> don't care much 
> about security. However in production it always preferred to use more 
> secure password managers. I'm not sure we need to apply the proposed 
> patch but rather add note about reference implementation at 
> the top of 
> the z.a.a.password.

You make a point, although I would expect a reference 
implementation to be as good as possible.  Hence, improvements
can be encouraged and, perhaps, the security bar raised.
Adding this salt patch allows a better, more secure reference 

Surely, welcoming obvious improvements that will save some 
other zope developer from re-implementing a secure /etc/passwd
equivalent is desirable.

A note is likely to make the potential zope developer sigh
and realize that there is more work for them to do.  

Don't get me wrong, I will be using LDAP in the future, but
for many zope implementations, a good local passwd file is 
and can be secure enough for people who care about security.  
I do, which is why I took the time to write this patch.

Anyway, I hope I've convinced you!  If not, c'est la vie!


Python 2.5 has hashlib which supports sha224, sha256 and so forth.
I may look into adding support for those hashes to password
when zope has been updated for 2.5.
Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to