[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?
Shane Hathaway
shane at hathawaymix.org
Wed Jan 21 12:50:47 EST 2009
Uli Fouquet wrote:
> Ok. I'll put something into the zope.app.authentication branches for
> review.
Great!
> Two remaining questions: I would like to use `os.urandom` instead of
> `random.randint` to create the salt, because this is recommended in
> cryptographic contexts. There was, however, a problem with this module
> in former times: sometimes it stopped until enough entropy was
> available, which could make threads and processes hang. Is this still an
> issue?
Well, the Linux man page for "urandom" says that /dev/urandom never
blocks, while /dev/random can block if the entropy pool runs out. I
assume os.urandom uses /dev/urandom.
> Last question: How should we handle lack of SHA-2 hashes in the Python
> standard lib of 2.4? Self-implementing sounds too error-prone to me
> while existing Python ports of the reference implementation in PyCryto
> etc. are implemented in C which would make `zope.app.authentication` a
> binary package. Something I would like to avoid. Or is support for
> Python 2.4 running out anyway?
Let's not implement the SHA-2 version yet. SSHA, based on SHA-1, is
sufficient for now.
Shane
More information about the Zope-Dev
mailing list