Guy Rutenberg <guyrutenb...@gmail.com> writes: > Hi Martin, > > On Jan 30, 11:43 pm, Martin Conte Mac Donell <refl...@gmail.com> > wrote: >> >> Actually in contrib.auth passwords are stored in SHA1. If you mean >> that passwords are sent in plain text "over the network" then you >> should use https. >> > > I meant "over the network". While https is the ideal solution security > wise for many small projects a getting a signed certificate costs too > much and using a self-signed one scares users who encounter the > browser's security alert. > > Sending hashed passwords, maybe even using something similar to hmac, > allows one to verify the user has the correct passwords without > actually passing it.
But, it doesn't help you anything. Someone who could get a hold of a plain text password sent over the internet could get a hashed password just as easily. And the server has no way of telling whether the sent password hash came from a browser showing your website or from something else. To protect a password you need an encrypted connection. Password hashing is done to protect passwords from a compromised password database. If someone gets the stored password hashes he can still not log on to your application because the hashing algorithm is irreversible. He can only try a brute force attack if he knows the hashing algorithm. And this is why it is recommended that one uses longer passwords that don't appear in a dictionary. Matthias --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
