On Fri, 2010-10-01 at 10:59 -0700, Yo-Yo Ma wrote: > Form wizard docs mention that MD5 hashes are made using > settings.SECRET_KEY - > http://docs.djangoproject.com/en/dev/ref/contrib/formtools/form-wizard/#django.contrib.formtools.wizard.FormWizard.security_hash > > If you give me a value, I give you a hash back, and you're aware that > I'm using Django (think BitBucket which everyone knows is using > Django), couldn't I use those values to learn your secret key. I > understand this would be difficult and time consuming to try to > accomplish, and I apologize if I'm raising unwarranted alarms, but I > thought it was worth mentioning.
Um, in theory, yes, *all* cryptographic measures can be broken given some information and enough time. You somehow missed the part where you explained what kind of attack you would do, and showed roughly how long it would take to do this brute force attack, given the typical secret keys that a Django 'startproject' command generates, and why we should therefore be worried. (BTW, if you actually do this, and you discover there is a problem, the right place to report it is secur...@djangoproject.com, not here). > Also, why MD5? I thought Django was switching to SHA1 for security > reasons. If we switch we will break compatibility with existing hashes. We'd like to switch to HMAC-SHA1 (it's on my TODO list actually), but only if we can do so without causing lots of breakage. Luke -- "DO NOT DISTURB. I'm disturbed enough already." Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
