Giovannetti, Mark wrote:
I like that update. However, it would fail authentication on
stored lengths less than 40. Yes, I know that a length less than
40 would mean an anomalous stored password, but at least we
guarantee a blank '' salt, rather than the possibility of getting
some of the last hex digits of the stored password due to
list wrap around. Might make debugging a problem just a little
easier, you never know.
How about putting the salt on the end of the stored value. Then
fetching the salt would look like this:
salt = storedPassword[40:]
That way if the stored value was less than 40 characters, the salt would
be the empty string.
Senior Software Engineer
Zope3-dev mailing list