[Zope3-dev] SHA1Password manager, add a pinch of salt
Dmitry Vasiliev
dima at hlabs.spb.ru
Sat Apr 21 05:38:03 EDT 2007
Giovannetti, Mark wrote:
> I've been researching authentication and whatnot in Zope 3
> and was looking at the password management implementations.
> I don't like the fact that the SHA1 password manager
> doesn't use a random salt value when encoding and storing
> a password. Salts are commonly used in /etc/passwd and
> friends to eliminate the identification of passwords that
> are the same among users, as well as to make the brute
> forcing space a little larger.
Actually I've always thought about z.a.authentication.password as a
simple reference implementation which you can use if you don't care much
about security. However in production it always preferred to use more
secure password managers. I'm not sure we need to apply the proposed
patch but rather add note about reference implementation at the top of
the z.a.a.password.
--
Dmitry Vasiliev <dima at hlabs.spb.ru>
http://hlabs.spb.ru
More information about the Zope3-dev
mailing list