[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Chris McDonough added the comment: Deferring this due to lack of response. -- status: chatting -> deferred __ Repoze Bugs __ ___ Repoze-dev mail

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Douglas Mayle added the comment: Chris, I actually wrote a mock (using import hooks) that would allow me to simulate not being able to import a module, even if it's really available. This should allow us to get a higher coverage. Unfortunately, without bcrypt installed, we couldn't get full co

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Chris McDonough added the comment: Hi Douglas, Sorry for not responding til now; the worthwhile patches always require more thought than plain bugreports. Thanks for the submission! (FTR, I tried to apply the patch but it has a syntax error on line 267. That was easy to fix, just needed a ta

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Douglas Mayle added the comment: Any comments for me? Anything I need to do to get this accepted? I think it's pretty thorough, but I'm open to any criticism... __ Repoze Bugs __

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Douglas Mayle added the comment: Hopefully, the last of the unit tests that don't work properly in Python 2.4 __ Repoze Bugs __ repozewho_salted_hashes_with_bcrypt.diff Description: Binary data __

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

System message: __ Repoze Bugs __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

System message: __ Repoze Bugs __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

System message: __ Repoze Bugs __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

System message: __ Repoze Bugs __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Douglas Mayle added the comment: Whoops, bad unittest passed through because I was testing in Python 2.5 __ Repoze Bugs __ repozewho_salted_hashes_with_bcrypt.diff Description: Binary data ___

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Douglas Mayle added the comment: New version of the patch which also supports blowfish hashes when bcrypt is installed, and uses pycrypto on python < 2.5 for sha256 support. This patch superseded the previous two patches. __ Repoze Bugs

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

Douglas Mayle added the comment: Adding a version of the patch that uses base64 encoding, to be more standards compliant. The default comparator supports reading the older hex based encoding as well... -- status: unread -> chatting __ Repoze Bugs

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

New submission from Douglas Mayle : The SQL Authenticator uses unsalted hashes by default which are susceptible to attacks like Rainbow tables. I'm including a patch to add support, with tests. In addition, it's useful to have a default implementation of the hash function, so I've added that.