[Zope3-dev] SHA1Password manager, add a pinch of salt
Dmitry Vasiliev
dima at hlabs.spb.ru
Tue Apr 24 08:19:43 EDT 2007
Giovannetti, Mark wrote:
>> From: zopatista at gmail.com [mailto:zopatista at gmail.com] On
>> Behalf Of Martijn Pieters
>> def checkPassword(self, storedPassword, password):
>> salt = storedPassword[:len(storedPassword)-40]
>> return storedPassword == self.encodePassword(password, salt)
>>
>> That'll capture any salt length as the sha.hexdigest output is always
>> 40 characters long.
>
> I like that update. However, it would fail authentication on
> stored lengths less than 40. Yes, I know that a length less than
> 40 would mean an anomalous stored password, but at least we
> guarantee a blank '' salt, rather than the possibility of getting
> some of the last hex digits of the stored password due to
> list wrap around.
Slices doesn't wrap around.
> Might make debugging a problem just a little
> easier, you never know.
>
> Anyway:
>
> def checkPassword(self, storedPassword, password):
> salt = storedPassword[:max(0, len(storedPassword)-40)]
> return storedPassword == self.encodePassword(password, salt)
With Python you can do things as simply as possible. :-) The expression
storedPassword[:-40] (which is equivalent to
storedPassword[:len(storedPassword)-40]) does exactly what you want:
>>> "password"[:-40]
''
--
Dmitry Vasiliev <dima at hlabs.spb.ru>
http://hlabs.spb.ru
More information about the Zope3-dev
mailing list