[Zope3-dev] SHA1Password manager, add a pinch of salt
Dmitry Vasiliev
dima at hlabs.spb.ru
Wed Apr 25 09:30:20 EDT 2007
Giovannetti, Mark wrote:
>> From: Dmitry Vasiliev [mailto:dima at hlabs.spb.ru]
>>
>> Slices doesn't wrap around.
>
> Right, this was what I was seeing/thinking about:
>
>>>> for i in range(41): print i, "'" + "password"[:i-40] + "'"
[skip]
> Can't really call it wrap around, I guess.
>
>>> Anyway:
>>>
>>> def checkPassword(self, storedPassword, password):
>>> salt = storedPassword[:max(0, len(storedPassword)-40)]
>>> return storedPassword == self.encodePassword(password, salt)
>> With Python you can do things as simply as possible. :-) The
>> expression
>> storedPassword[:-40] (which is equivalent to
>> storedPassword[:len(storedPassword)-40]) does exactly what you want:
>>
>> >>> "password"[:-40]
>> ''
>
> Keeping it simple is often the best way. Given the above, in order
> to ensure a blank salt with a password less than 40 characters,
> keeping it simple may not suffice.
I think in the example above you're testing for wrong use case since we
use constant slice index, the following example explains what I mean:
>>> hash = "123456789"
>>> while hash:
... print (hash[:-4], hash[-4:])
... hash = hash[1:]
...
('12345', '6789')
('2345', '6789')
('345', '6789')
('45', '6789')
('5', '6789')
('', '6789')
('', '789')
('', '89')
('', '9')
--
Dmitry Vasiliev <dima at hlabs.spb.ru>
http://hlabs.spb.ru
More information about the Zope3-dev
mailing list