Hi there, thanks for all input so far :-) Martijn Faassen wrote:
Shane Hathaway wrote: [snip]
Also, every encrypted password should have a scheme name prefix in curly braces, such as "{SSHA}", as discussed earlier in this thread. That makes it possible to support multiple schemes in a single database, which is essential for migration to new schemes.
+1
Such a fix can now be found in the ``ulif-saltfix`` branch of `zope.app.authentication`. _New_ passwords are now stored as {MD5}<LONG-HEX-NUMBER> {SHA1}<LONGER-HEX-NUMBER> {SSHA}<BASE64-STRING> respectively. Old passwords, however, are still accepted and correctly verified by the respective `checkPassword` methods. I didn't change the faulty salt handling of the SHA1 and MD5 password manager. Only the prefix is added now. Whoever wants more security, could use SSHA. Setting a new password (which can in fact be the old one) should update any old SHA1/MD5 passwords. Note, that these won't be more secure than the old ones! Only a prefix is added! Oh, yes, and an SSHA password manager now also exists. Implementation is based on Reed O'Briens sample on http://www.openldap.org/faq/data/cache/347.html. Some checks against passwords generated by `slappasswd` showed, that this SSHA password manager should be compatible with at least slapd-(SSHA-)passwords. Do we need a SMD5-manager as well (same as SSHA, only with MD5 instead of SHA1 as hash algorithm)? Any reviews by the more competent gurus in the list are highly appreciated. Best regards, -- Uli