[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?
Uli Fouquet
uli at gnufix.de
Wed Jan 21 09:07:48 EST 2009
Hi there,
thanks for all input so far :-)
Martijn Faassen wrote:
> Shane Hathaway wrote:
> [snip]
> > Also, every encrypted password should have a scheme name prefix in curly
> > braces, such as "{SSHA}", as discussed earlier in this thread. That
> > makes it possible to support multiple schemes in a single database,
> > which is essential for migration to new schemes.
>
> +1
Such a fix can now be found in the ``ulif-saltfix`` branch of
`zope.app.authentication`.
_New_ passwords are now stored as
{MD5}<LONG-HEX-NUMBER>
{SHA1}<LONGER-HEX-NUMBER>
{SSHA}<BASE64-STRING>
respectively.
Old passwords, however, are still accepted and correctly verified by the
respective `checkPassword` methods.
I didn't change the faulty salt handling of the SHA1 and MD5 password
manager. Only the prefix is added now. Whoever wants more security,
could use SSHA. Setting a new password (which can in fact be the old
one) should update any old SHA1/MD5 passwords. Note, that these won't be
more secure than the old ones! Only a prefix is added!
Oh, yes, and an SSHA password manager now also exists. Implementation is
based on Reed O'Briens sample on
http://www.openldap.org/faq/data/cache/347.html. Some checks against
passwords generated by `slappasswd` showed, that this SSHA password
manager should be compatible with at least slapd-(SSHA-)passwords.
Do we need a SMD5-manager as well (same as SSHA, only with MD5 instead
of SHA1 as hash algorithm)?
Any reviews by the more competent gurus in the list are highly
appreciated.
Best regards,
--
Uli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20090121/610f1d17/attachment.bin
More information about the Zope-Dev
mailing list