Giovannetti, Mark wrote:
I like that update.  However, it would fail authentication on
stored lengths less than 40.  Yes, I know that a length less than
40 would mean an anomalous stored password, but at least we guarantee a blank '' salt, rather than the possibility of getting some of the last hex digits of the stored password due to list wrap around. Might make debugging a problem just a little easier, you never know.

How about putting the salt on the end of the stored value. Then fetching the salt would look like this:

salt = storedPassword[40:]

That way if the stored value was less than 40 characters, the salt would be the empty string.
Benji York
Senior Software Engineer
Zope Corporation
Zope3-dev mailing list

Reply via email to