[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?

Shane Hathaway shane at hathawaymix.org
Wed Jan 21 12:50:47 EST 2009


Uli Fouquet wrote:
> Ok. I'll put something into the zope.app.authentication branches for
> review.

Great!

> Two remaining questions: I would like to use `os.urandom` instead of
> `random.randint` to create the salt, because this is recommended in
> cryptographic contexts. There was, however, a problem with this module
> in former times: sometimes it stopped until enough entropy was
> available, which could make threads and processes hang. Is this still an
> issue?

Well, the Linux man page for "urandom" says that /dev/urandom never 
blocks, while /dev/random can block if the entropy pool runs out.  I 
assume os.urandom uses /dev/urandom.

> Last question: How should we handle lack of SHA-2 hashes in the Python
> standard lib of 2.4? Self-implementing sounds too error-prone to me
> while existing Python ports of the reference implementation in PyCryto
> etc. are implemented in C which would make `zope.app.authentication` a
> binary package. Something I would like to avoid. Or is support for
> Python 2.4 running out anyway?

Let's not implement the SHA-2 version yet.  SSHA, based on SHA-1, is 
sufficient for now.

Shane



More information about the Zope-Dev mailing list