[Zope3-dev] SHA1Password manager, add a pinch of salt
Benji York
benji at zope.com
Mon Apr 23 12:04:57 EDT 2007
Giovannetti, Mark wrote:
> I like that update. However, it would fail authentication on
> stored lengths less than 40. Yes, I know that a length less than
> 40 would mean an anomalous stored password, but at least we
> guarantee a blank '' salt, rather than the possibility of getting
> some of the last hex digits of the stored password due to
> list wrap around. Might make debugging a problem just a little
> easier, you never know.
How about putting the salt on the end of the stored value. Then
fetching the salt would look like this:
salt = storedPassword[40:]
That way if the stored value was less than 40 characters, the salt would
be the empty string.
--
Benji York
Senior Software Engineer
Zope Corporation
More information about the Zope3-dev
mailing list