[Zope3-dev] SHA1Password manager, add a pinch of salt

[Dmitry Vasiliev]

Giovannetti, Mark wrote:
> I've been researching authentication and whatnot in Zope 3
> and was looking at the password management implementations.
> I don't like the fact that the SHA1 password manager
> doesn't use a random salt value when encoding and storing
> a password.  Salts are commonly used in /etc/passwd and
> friends to eliminate the identification of passwords that
> are the same among users, as well as to make the brute
> forcing space a little larger.

Actually I've always thought about z.a.authentication.password as a 
simple reference implementation which you can use if you don't care much 
about security. However in production it always preferred to use more 
secure password managers. I'm not sure we need to apply the proposed 
patch but rather add note about reference implementation at the top of 
the z.a.a.password.

-- 
Dmitry Vasiliev <dima at hlabs.spb.ru>
http://hlabs.spb.ru