Please note this email does not include or indicate a specific, immediately viable flaw.
I'm doing a brief analysis of the contrib.auth system: http://www.pythonsecurity.org/wiki/django/#authentication . I have a couple of notes that I'd like to share with you. - I'm very glad you don't have MD5 as the default. SHA-1 (currently employed) is acceptable for now, but at this point there are theoretical attacks that can find collisions in time that is "within the realm of computational possibility". It is recommended that SHA-2 be used for new applications. See http://www.pythonsecurity.org/wiki/hashing/ - The hashing scheme uses random.random(). The random module uses the deterministic Mersenne Twister algorithm to generate random numbers. This is fine for most purposes, but it is not suitable for cryptographic purposes. It is much better to create a random.SystemRandom<http://docs.python.org/library/random.html#random.SystemRandom> instance to get random data from the OS that is suitable for cryptography. - The most concerning thing in the hashing algorithm is that a salt of only 5 hexadecimal characters is used. This is just over a million possible salts (20 bits). We'd really like to see something closer to our recommendation of 64 bits. Other tidbits: - Is there a measure to prevent users from having dollar signs in their passwords? This would mess up the concatenated string that is stored in the database. - You might consider hashing with multiple rounds. By applying the hash function many times, you essentially lengthen the hashing/password verification stage. Since users spend very little time in this stage, it will have minimal impact in them. Crackers spend nearly 100% of their time doing this, so it significantly slows them down. See http://www.pythonsecurity.org/wiki/hashing/#multiple-rounds *Craig Younkins* -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
