[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?
Martijn Faassen
faassen at startifact.com
Tue Jan 20 14:23:16 EST 2009
Shane Hathaway wrote:
> Uli Fouquet wrote:
>> while working on a password manager tool (commandline) for Grok I
>> stumbled over the usage of salts in the password managers of
>> `zope.app.authentication`.
>>
>> In short, they seem to generate (and store) a salt number but do not
>> make any use of it when it comes to creating the hashes (SHA1, MD5,
>> whatever). As a result, same passwords lead always to same hashes, only
>> the leading salt number is different. This could be exploited by
>> dictionary attacks.
>
> We should really be using the SSHA standard (as defined by LDAP) as a
> minimum. SSHA was the default in Zope 2, but someone forgot to bring
> this code over to Zope 3.
>
> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup
>
> A SHA-256 version of the algorithm would also be useful since
> cryptography experts expect SHA-1 to be vulnerable soon.
So perhaps this should be ported over and we should do an announcement
that we ask people to use that instead?
Regards,
Martijn
More information about the Zope-Dev
mailing list