[Zope3-dev] SHA1Password manager, add a pinch of salt
Giovannetti, Mark
giovanne at nrcan.gc.ca
Mon Apr 23 11:51:13 EDT 2007
Hi Martijn,
> -----Original Message-----
> From: zopatista at gmail.com [mailto:zopatista at gmail.com] On
> Behalf Of Martijn Pieters
>
> On 4/20/07, Giovannetti, Mark <giovanne at nrcan.gc.ca> wrote:
> > + def checkPassword(self, storedPassword, password):
> > + if len(storedPassword) == 48:
> > + salt = storedPassword[0:8]
> > + else:
> > + salt = ''
> > + return storedPassword ==
> self.encodePassword(password, salt)
>
> Because you allow the passing in of an arbirtary salt on encoding, you
> should either check the salt length on encoding (ensuring len 8) or,
> better, do the following:
>
> def checkPassword(self, storedPassword, password):
> salt = storedPassword[:len(storedPassword)-40]
> return storedPassword == self.encodePassword(password, salt)
>
> That'll capture any salt length as the sha.hexdigest output is always
> 40 characters long.
>
I like that update. However, it would fail authentication on
stored lengths less than 40. Yes, I know that a length less than
40 would mean an anomalous stored password, but at least we
guarantee a blank '' salt, rather than the possibility of getting
some of the last hex digits of the stored password due to
list wrap around. Might make debugging a problem just a little
easier, you never know.
Anyway:
def checkPassword(self, storedPassword, password):
salt = storedPassword[:max(0, len(storedPassword)-40)]
return storedPassword == self.encodePassword(password, salt)
Thanks!
Mark
More information about the Zope3-dev
mailing list