[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?

Wichert Akkerman wichert at wiggy.net
Sat Jan 17 14:47:22 EST 2009


Previously Dan Korostelev wrote:
> Yeah, that's definetely a mistake! The hash needs to be generated
> using both salt and password.
> 
> Also, I saw a technique when you generate a hash using double hashing,
> like this: sha(sha(password) + salt).hexdigest(). It looks even more
> secure :)

Why would it make things more secure?

Wichert.

-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.


More information about the Zope-Dev mailing list