Exactly!! Besides the one way hashing algorithms, salt based algorithms are also not be feasible to go with this strategy.
Thanx for clarifying this side aa well. Regards, M N Islam Shihan On May 3, 2009, at 3:49 PM, Elliott <join.toget...@gmail.com> wrote: > > On May 3, 2:51 am, "M. N. Islam Shihan" <mnis4...@gmail.com> wrote: >> It should be possible to provide a fallback to go with unencrypted >> authentication @ server side depending on whether a flag set at >> client >> side by javascript (using cookie or hidden field). >> >> Anyway, the only limitation of this technique i see is it can't be >> used in cases where the oneway hashing alhorithm to encrypt >> password @ >> server side is not md5, that in turn will limit the versatile nature >> of choosing password encryption mechanism provided by a web >> development framework like django. >> >> Regards, >> M N Islam Shihan > This shouldn't be a concern, as the other hashing methods should be > able to be implemented in js as well. > > The real problem is that the method used, as well as the salt, are > stored on a per-user basis. Both of these would need to be known by > the js in order to properly hash the password, but they cannot be > known without first knowing which user was attempting to log in. That > complicates things a lot, because now you have to send in a user ID > and get back a method/salt. That throws out the whole "don't reveal > whether a user with this username actually exists" thing. You can fix > that by generating a randomized response if the user doesn't exist etc > etc, and you just have more and more complications down the line, with > more and more data being sent back and forth for one login. > > In short, there is no simple way within django to encrypt logins with > django's authentication system. > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
