I recommend you to use bcrypt, the password-hashing algorithm used in OpenBSD.
The advantages are that it creates and manages auto. the salt for each password entered; And the most important is that it is adaptable to future processor performance improvements. http://pypi.python.org/pypi/bcryptWrap On 30 ene, 19:36, Guy Rutenberg <guyrutenb...@gmail.com> wrote: > Hi, > > I've started using Django recently and when I've used the auth module > I noticed that it only verifies a plain text password. I'm not > comfortable with this behaviour as it means that passwords have to be > sent by login forms in plain text. > > In previous projects of mine I've used a solution that sent involved > comparing a hash value of a given salt with the hash of the password > (which is stored in the database). A salt is sent with the login form > and upon submission, using javascript the salt is concated with a > hahed password and then both of them are hashed again. The same thing > happens in the server-side and only the result hashes are compared. > This eliminates the need to send the password in plain-text in the > login forms and adds extra security. > > Is it possible to such thing with the current auth module? if not how > hard it will be to add such functionality to the current module/write > a new authentication backend for it? > > Thanks, > > Guy Rutenberg --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---