[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?

Shane Hathaway shane at hathawaymix.org
Sat Jan 17 15:18:50 EST 2009


Uli Fouquet wrote:
> while working on a password manager tool (commandline) for Grok I
> stumbled over the usage of salts in the password managers of
> `zope.app.authentication`.
> 
> In short, they seem to generate (and store) a salt number but do not
> make any use of it when it comes to creating the hashes (SHA1, MD5,
> whatever). As a result, same passwords lead always to same hashes, only
> the leading salt number is different. This could be exploited by
> dictionary attacks.

We should really be using the SSHA standard (as defined by LDAP) as a 
minimum.  SSHA was the default in Zope 2, but someone forgot to bring 
this code over to Zope 3.

http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup

A SHA-256 version of the algorithm would also be useful since 
cryptography experts expect SHA-1 to be vulnerable soon.

Shane



More information about the Zope-Dev mailing list