[Zope-dev] PAS, AuthEncoding and zope.password

Martijn Pieters mj at zopatista.com
Fri Feb 18 16:19:41 EST 2011


I was looking into bcrypt[1] support for PAS I found z3c.bcrypt, which
implements zope.password compontents (named utilities).

PAS, however, uses Zope2's AccessControl.AuthEncoding module to handle
password encryption / hashing schemes. Now, while AuthEncoding
certainly supports extending the available schemes, it does need
additional glue-code to be able to reuse zope.password components.
Moreover, we now have two places to maintain the various hashing and
encryption schemes.

We should at the very least convert PAS to use zope.password instead
of AccessControl.AuthEncoding. With that change it is then at least
trivial to support bcrypt as well, you simply install the additional
z3c.bcrypt egg and be done with it. But would it make sense to convert
Zope2 itself as well? We could make the AuthEncodings module simply a
proxy (with deprecation warnings if need be) for zope.password
components.

Any objections to reworking both AuthEncoding and PAS?

-- 
Martijn Pieters

[1] see http://codahale.com/how-to-safely-store-a-password/ and
http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt


More information about the Zope-Dev mailing list