On Mon, 2007-01-01 at 08:56 -0800, Ryan Roth wrote: > I will redo it with crypt then. BTW it does work. It takes the stored > password hash, then it hashes the supplied password and compares them.
The patch as submitted wouldn't work (because it had the crypt line that shouldn't have been there, as you said). No problem, we all submit patches with accidental cruft left behind. :) > 'saltedflavor')", was not supposed to be in there, sorry. I would like > to use the username for the salt that way I can truncate it off the > stored hash, but this is your call. I'm going to rule with an iron fist on this one. :) If we're going to do it at all, let's do it right. I don't fully understand the security characteristics of using the salt as the username, but then neither do you. But intuitively it is less secure than using a random salt. Cryptography is hard enough, but it's also largely a solved problem. We have existing models to follow (in this case the standard unix passwd model), and deviating from a model that's was devised and reviewed by security experts, been in use for years, and has well understood security properties, seems to me to be a bad idea. I feel compelled to quote Peter Gutmann: "Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment." So the password helper will: 1. Prompt for username and password 2. generate a salt of 8 random bytes (from the set [a–zA–Z0–9./]) gotten from /dev/urandom 3. Output username and crypt.crypt(password, "$1$%s$" % salt) And the webserver will: 1. Read username and password from remote end 2. grab cryptpass from config file for given username 3. Parse $1$.{8}$ from cryptpass as salt. 4. Compare cryptpasss with crypt.crypt(pasword, "$1$%s%$" % salt) Hopefully you're not too exasperated. I'm just stubborn. :) Thanks, Jason. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users