[Zope3-dev] SHA1Password manager, add a pinch of salt

Giovannetti, Mark giovanne at nrcan.gc.ca
Fri Apr 20 15:37:40 EDT 2007 

Hi,

I've been researching authentication and whatnot in Zope 3
and was looking at the password management implementations.
I don't like the fact that the SHA1 password manager
doesn't use a random salt value when encoding and storing
a password.  Salts are commonly used in /etc/passwd and
friends to eliminate the identification of passwords that
are the same among users, as well as to make the brute
forcing space a little larger.

Here is a unified diff that adds 32 bits of salt to
the SHA1 password storage mechanism.  The same may be
done for md5, but its use is falling out of favour, so
I didn't bother.

What else do I need to do to contribute this change?
Have I missed anything?

Regards,
Mark


zope# diff -u password.py.dist password.py
--- password.py.dist    Tue Oct 24 04:21:55 2006
+++ password.py Fri Apr 20 14:21:31 2007
@@ -13,12 +13,13 @@
 ##############################################################################
 """Password managers

-$Id: password.py 70897 2006-10-24 08:21:55Z flox $
+$Id$
 """
 __docformat__ = 'restructuredtext'

 import md5
 import sha
+import random

 from zope.interface import implements, classProvides
 from zope.schema.interfaces import IVocabularyFactory
@@ -85,19 +86,34 @@
     >>> verifyObject(IPasswordManager, manager)
     True

-    >>> encoded = manager.encodePassword("password")
+    >>> encoded = manager.encodePassword("password", salt='')
     >>> encoded
     '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'
     >>> manager.checkPassword(encoded, "password")
     True
     >>> manager.checkPassword(encoded, "bad")
     False
+
+    >>> encoded = manager.encodePassword("password")
+    >>> manager.checkPassword(encoded, "password")
+    True
+    >>> manager.checkPassword(encoded, "bad")
+    False
     """

     implements(IPasswordManager)

-    def encodePassword(self, password):
-        return sha.new(password).hexdigest()
+    def encodePassword(self, password, salt=None):
+        if salt is None:
+            salt = '%x' % random.randrange(1, 2**32-1)
+        return salt + sha.new(salt+password).hexdigest()
+
+    def checkPassword(self, storedPassword, password):
+        if len(storedPassword) == 48:
+            salt = storedPassword[0:8]
+        else:
+            salt = ''
+        return storedPassword == self.encodePassword(password, salt)

 # Simple registry used by mkzopeinstance script
 managers = [

More information about the Zope3-dev mailing list