Re: use crypt algo for user passwords
I agree, and my basic idea was to enable the use of a stronger algo than sha1, which is breakable too. Hashlib supports sha256 and sha 512. As I said in the ticket comment adding the app secret key could mitigete the danger of a brute force attack on the sql dump of the database. On 29 Ago, 20:29, Tim Chase <[EMAIL PROTECTED]> wrote: > > Maybe I'm wrong but this patch define DEFAULT_ALGO at "django > > installation" level. I think it shoud be defined at prject level. > > something like this > > try: > > ... DEFAULT_ALGO = settings.DEFAULT_ALGO > > ... except NameError: > > ... DEFAULT_ALGO = 'sha1' > > > does refer to project settings have some side issues I can't see? > > I'm of two minds on this: > > 1) it's nice to be able to set it once and forget it; as such, > the above 4 lines are a nice addition. > > 2) MD5 andcrypthave known problems[1][2] so I can see > justification in setting up roadblocks to change from SHA1 to a > weaker alternative. Seeing calls in the code explicitly > requesting "crypt" or "md5" force the developer to make it clear > that they *really* *do* want this weaker alternative -- even if > it violates DRY. > > -tim > > [1]http://en.wikipedia.org/wiki/Md5 > > [2]http://en.wikipedia.org/wiki/Crypt_(Unix) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: use crypt algo for user passwords
> Maybe I'm wrong but this patch define DEFAULT_ALGO at "django > installation" level. I think it shoud be defined at prject level. > something like this > try: > ... DEFAULT_ALGO = settings.DEFAULT_ALGO > ... except NameError: > ... DEFAULT_ALGO = 'sha1' > > does refer to project settings have some side issues I can't see? I'm of two minds on this: 1) it's nice to be able to set it once and forget it; as such, the above 4 lines are a nice addition. 2) MD5 and crypt have known problems[1][2] so I can see justification in setting up roadblocks to change from SHA1 to a weaker alternative. Seeing calls in the code explicitly requesting "crypt" or "md5" force the developer to make it clear that they *really* *do* want this weaker alternative -- even if it violates DRY. -tim [1] http://en.wikipedia.org/wiki/Md5 [2] http://en.wikipedia.org/wiki/Crypt_(Unix) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: use crypt algo for user passwords
Maybe I'm wrong but this patch define DEFAULT_ALGO at "django installation" level. I think it shoud be defined at prject level. something like this >>> try: ... DEFAULT_ALGO = settings.DEFAULT_ALGO ... except NameError: ... DEFAULT_ALGO = 'sha1' does refer to project settings have some side issues I can't see? On 28 Ago, 19:57, Tim Chase <[EMAIL PROTECTED]> wrote: > > thanks opend ticket #8647 > > Attached is a patch against contrib/auth/models.py that should > add an "algo" parameter to set_password so it takes an algorithm. > > -tim > > [specify_algo.diff]Index: models.py > === > --- models.py (revision 8666) > +++ models.py (working copy) > @@ -9,6 +9,7 @@ > import urllib > > UNUSABLE_PASSWORD = '!' # This will never be a valid hash > +DEFAULT_ALGO = 'sha1' > > try: > set > @@ -103,12 +104,12 @@ > return self.name > > class UserManager(models.Manager): > - def create_user(self, username, email, password=None): > + def create_user(self, username, email, password=None, algo=DEFAULT_ALGO): > "Creates and saves a User with the given username, e-mail and > password." > now = datetime.datetime.now() > user = self.model(None, username, '', '', email.strip().lower(), > 'placeholder', False, True, False, now, now) > if password: > - user.set_password(password) > + user.set_password(password, algo) > else: > user.set_unusable_password() > user.save() > @@ -172,9 +173,8 @@ > full_name = u'%s %s' % (self.first_name, self.last_name) > return full_name.strip() > > - def set_password(self, raw_password): > + def set_password(self, raw_password, algo=DEFAULT_ALGO): > import random > - algo = 'sha1' > salt = get_hexdigest(algo, str(random.random()), > str(random.random()))[:5] > hsh = get_hexdigest(algo, salt, raw_password) > self.password = '%s$%s$%s' % (algo, salt, hsh) > @@ -343,7 +343,7 @@ > def delete(self): > raise NotImplementedError > > - def set_password(self, raw_password): > + def set_password(self, raw_password, algo=DEFAULT_ALGO): > raise NotImplementedError > > def check_password(self, raw_password): --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: use crypt algo for user passwords
> thanks opend ticket #8647 Attached is a patch against contrib/auth/models.py that should add an "algo" parameter to set_password so it takes an algorithm. -tim --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~--- Index: models.py === --- models.py (revision 8666) +++ models.py (working copy) @@ -9,6 +9,7 @@ import urllib UNUSABLE_PASSWORD = '!' # This will never be a valid hash +DEFAULT_ALGO = 'sha1' try: set @@ -103,12 +104,12 @@ return self.name class UserManager(models.Manager): -def create_user(self, username, email, password=None): +def create_user(self, username, email, password=None, algo=DEFAULT_ALGO): "Creates and saves a User with the given username, e-mail and password." now = datetime.datetime.now() user = self.model(None, username, '', '', email.strip().lower(), 'placeholder', False, True, False, now, now) if password: -user.set_password(password) +user.set_password(password, algo) else: user.set_unusable_password() user.save() @@ -172,9 +173,8 @@ full_name = u'%s %s' % (self.first_name, self.last_name) return full_name.strip() -def set_password(self, raw_password): +def set_password(self, raw_password, algo=DEFAULT_ALGO): import random -algo = 'sha1' salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5] hsh = get_hexdigest(algo, salt, raw_password) self.password = '%s$%s$%s' % (algo, salt, hsh) @@ -343,7 +343,7 @@ def delete(self): raise NotImplementedError -def set_password(self, raw_password): +def set_password(self, raw_password, algo=DEFAULT_ALGO): raise NotImplementedError def check_password(self, raw_password):
Re: use crypt algo for user passwords
thanks opend ticket #8647 On 28 Ago, 16:55, Rajesh Dhawan <[EMAIL PROTECTED]> wrote: > Hi Sam, > > I'm tring to figure out how to use crypt algorithm for user password. > > > looking at the code (http://code.djangoproject.com/browser/django/ > > trunk/django/contrib/auth/models.py) lin 175 there is no way to use > > other than sha1. > > You're right that algo='sha1' is hard coded in User.set_password(). > You've a couple of options: > > 1. Write your own function that's a copy of User.set_password() and > uses any of the other supported algorithms. You can keep this custom > function anywhere you like (it doesn't have to be a method on User). > It would take a User instance and an algorithm as its parameters and > do what the built-in method does. > > 2. You can open a ticket and suggest that algo='sha1' be moved to a > keyword argument of the built-in method User.set_password so that it > can be called with other values. But before you open the ticket, wait > a day or two to let other developers comment on whether there was a > deliberate decision to not expose algo as a user controllable > parameter. > > -Rajesh D --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: use crypt algo for user passwords
Hi Sam, I'm tring to figure out how to use crypt algorithm for user password. > looking at the code (http://code.djangoproject.com/browser/django/ > trunk/django/contrib/auth/models.py) lin 175 there is no way to use > other than sha1. You're right that algo='sha1' is hard coded in User.set_password(). You've a couple of options: 1. Write your own function that's a copy of User.set_password() and uses any of the other supported algorithms. You can keep this custom function anywhere you like (it doesn't have to be a method on User). It would take a User instance and an algorithm as its parameters and do what the built-in method does. 2. You can open a ticket and suggest that algo='sha1' be moved to a keyword argument of the built-in method User.set_password so that it can be called with other values. But before you open the ticket, wait a day or two to let other developers comment on whether there was a deliberate decision to not expose algo as a user controllable parameter. -Rajesh D --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
