[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?
Shane Hathaway
shane at hathawaymix.org
Tue Jan 20 20:22:50 EST 2009
Martijn Faassen wrote:
> Shane Hathaway wrote:
>> We should really be using the SSHA standard (as defined by LDAP) as a
>> minimum. SSHA was the default in Zope 2, but someone forgot to bring
>> this code over to Zope 3.
>>
>> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup
>
> So perhaps this should be ported over and we should do an announcement
> that we ask people to use that instead?
Yes. The first volunteer to change "we should do it" into "I have done
it" will earn recognition, glory, and a permanent place in Zope's
Subversion history!
Also, every encrypted password should have a scheme name prefix in curly
braces, such as "{SSHA}", as discussed earlier in this thread. That
makes it possible to support multiple schemes in a single database,
which is essential for migration to new schemes.
Shane
More information about the Zope-Dev
mailing list