[Zope3-dev] SHA1Password manager, add a pinch of salt
Giovannetti, Mark
giovanne at nrcan.gc.ca
Mon Apr 23 12:03:54 EDT 2007
Hi Dimitry,
> -----Original Message-----
> From: Dmitry Vasiliev [mailto:dima at hlabs.spb.ru]
>
> Giovannetti, Mark wrote:
> > I've been researching authentication and whatnot in Zope 3
> > and was looking at the password management implementations.
> > I don't like the fact that the SHA1 password manager
> > doesn't use a random salt value when encoding and storing
> > a password. Salts are commonly used in /etc/passwd and
> > friends to eliminate the identification of passwords that
> > are the same among users, as well as to make the brute
> > forcing space a little larger.
>
> Actually I've always thought about z.a.authentication.password as a
> simple reference implementation which you can use if you
> don't care much
> about security. However in production it always preferred to use more
> secure password managers. I'm not sure we need to apply the proposed
> patch but rather add note about reference implementation at
> the top of
> the z.a.a.password.
>
You make a point, although I would expect a reference
implementation to be as good as possible. Hence, improvements
can be encouraged and, perhaps, the security bar raised.
Adding this salt patch allows a better, more secure reference
implementation.
Surely, welcoming obvious improvements that will save some
other zope developer from re-implementing a secure /etc/passwd
equivalent is desirable.
A note is likely to make the potential zope developer sigh
and realize that there is more work for them to do.
Don't get me wrong, I will be using LDAP in the future, but
for many zope implementations, a good local passwd file is
and can be secure enough for people who care about security.
I do, which is why I took the time to write this patch.
Anyway, I hope I've convinced you! If not, c'est la vie!
Mark
P.S.
Python 2.5 has hashlib which supports sha224, sha256 and so forth.
I may look into adding support for those hashes to password
when zope has been updated for 2.5.
More information about the Zope3-dev
mailing list