[Zope3-dev] SHA1Password manager, add a pinch of salt
Martijn Pieters
mj at zopatista.com
Sat Apr 21 03:27:51 EDT 2007
On 4/20/07, Giovannetti, Mark <giovanne at nrcan.gc.ca> wrote:
> + def checkPassword(self, storedPassword, password):
> + if len(storedPassword) == 48:
> + salt = storedPassword[0:8]
> + else:
> + salt = ''
> + return storedPassword == self.encodePassword(password, salt)
Because you allow the passing in of an arbirtary salt on encoding, you
should either check the salt length on encoding (ensuring len 8) or,
better, do the following:
def checkPassword(self, storedPassword, password):
salt = storedPassword[:len(storedPassword)-40]
return storedPassword == self.encodePassword(password, salt)
That'll capture any salt length as the sha.hexdigest output is always
40 characters long.
--
Martijn Pieters
More information about the Zope3-dev
mailing list