[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?
Uli Fouquet
uli at gnufix.de
Tue Jan 20 20:19:13 EST 2009
Hi there,
Shane Hathaway wrote:
> We should really be using the SSHA standard (as defined by LDAP) as a
> minimum. SSHA was the default in Zope 2, but someone forgot to bring
> this code over to Zope 3.
>
> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup
Is there some recent documentation about SSHA available? The netscape
links seems to be down.
The code looks quite similar to what is done in the current SHA1
password manager, but if there is a standard we could follow, we might
should do that and recommend people to switch.
SSHA seems cryptography-wise to be as strong or weak as the used hash
algorithm (which here was SHA-1), so I wonder whether you would like to
replace the standard SHA1 manager by an SSHA manager or vote for
providing a new one.
> A SHA-256 version of the algorithm would also be useful since
> cryptography experts expect SHA-1 to be vulnerable soon.
Yes, indeed. All that SHA-2 stuff (SHA-224, SHA-256, SHA384 and SHA-512)
might be the choice for future. Unfortunately we have no out-of-the-box
support for these in Python 2.4. They were introduced in Python 2.5
IIRC.
Best regards,
--
Uli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20090121/e2c11085/attachment.bin
More information about the Zope-Dev
mailing list