I agree, and my basic idea was to enable the use of a stronger algo than sha1, which is breakable too. Hashlib supports sha256 and sha 512. As I said in the ticket comment adding the app secret key could mitigete the danger of a brute force attack on the sql dump of the database.
On 29 Ago, 20:29, Tim Chase <[EMAIL PROTECTED]> wrote: > > Maybe I'm wrong but this patch define DEFAULT_ALGO at "django > > installation" level. I think it shoud be defined at prject level. > > something like this > > >>>> try: > > ... DEFAULT_ALGO = settings.DEFAULT_ALGO > > ... except NameError: > > ... DEFAULT_ALGO = 'sha1' > > > does refer to project settings have some side issues I can't see? > > I'm of two minds on this: > > 1) it's nice to be able to set it once and forget it; as such, > the above 4 lines are a nice addition. > > 2) MD5 andcrypthave known problems[1][2] so I can see > justification in setting up roadblocks to change from SHA1 to a > weaker alternative. Seeing calls in the code explicitly > requesting "crypt" or "md5" force the developer to make it clear > that they *really* *do* want this weaker alternative -- even if > it violates DRY. > > -tim > > [1]http://en.wikipedia.org/wiki/Md5 > > [2]http://en.wikipedia.org/wiki/Crypt_(Unix) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
