Re: [web2py] Re: password hash problems
On Feb 7, 2010, at 12:10 PM, mr.freeze wrote: Looking at CRYPT, if you provide a key but not a digest algorithm, it will try to get the digest alg by splitting the key between a colon. So you could say: auth.settings.hmac_key = 'sha512:%s' % vpepm_hmac_key That did the trick. Thanks, I hadn't noticed the split. Massimo, that's contrary to the documentation. On Feb 7, 1:44 pm, Jonathan Lundell jlund...@pobox.com wrote: I've got this (where the key is a text string): from gluon.tools import * auth=Auth(globals(),db) # authentication/authorization auth.settings.hmac_key = vpepm_hmac_key auth.define_tables() # creates all needed tables # invoke IS_STRONG only for password creation, not password checking if login not in request.args: auth.settings.table_user.password.requires += [IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)] All my logins are failing with a bad password. I've got a sha512 hash in my user database (manually initialized), but the login form is returning an md5 hash, presumably because digest_alg is set to md5. The manual says, If a key is specified it uses the HMAC+SHA512 with the provided key, but I don't see where digest_alg is ever set to sha512. Is there a bug, or am I doing something wrong? -- You received this message because you are subscribed to the Google Groups web2py-users group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
Re: [web2py] Re: password hash problems
On Feb 7, 2010, at 12:07 PM, mdipierro wrote: remember that validators are filters. You need to check that a password is strong BEFORE it is hashed. So instead of this: auth.settings.table_user.password.requires += [IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)] Do this auth.settings.table_user.password.insert(0,IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)) Not sure this is your problem but try again after this fix. Good point, thanks. But it wasn't my problem; the problem is that digest_alg defaults to md5, even in the presence of a key, which isn't what the manual says. I think that the best course of action might be to change the manual, since fixing the code now would break backward compatibility (I think). OTOH, if anyone is relying on the docs and expecting a sha512 hash, they're not getting one. The only reason I noticed the problem was that I was manually initializing the database with a sha512 hash, rather than relying on the form. On Feb 7, 1:44 pm, Jonathan Lundell jlund...@pobox.com wrote: I've got this (where the key is a text string): from gluon.tools import * auth=Auth(globals(),db) # authentication/authorization auth.settings.hmac_key = vpepm_hmac_key auth.define_tables() # creates all needed tables # invoke IS_STRONG only for password creation, not password checking if login not in request.args: auth.settings.table_user.password.requires += [IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)] All my logins are failing with a bad password. I've got a sha512 hash in my user database (manually initialized), but the login form is returning an md5 hash, presumably because digest_alg is set to md5. The manual says, If a key is specified it uses the HMAC+SHA512 with the provided key, but I don't see where digest_alg is ever set to sha512. Is there a bug, or am I doing something wrong? -- You received this message because you are subscribed to the Google Groups web2py-users group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en. -- You received this message because you are subscribed to the Google Groups web2py-users group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
Re: [web2py] Re: password hash problems
On Feb 7, 2010, at 12:07 PM, mdipierro wrote: remember that validators are filters. You need to check that a password is strong BEFORE it is hashed. So instead of this: auth.settings.table_user.password.requires += [IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)] Do this auth.settings.table_user.password.insert(0,IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)) Not sure this is your problem but try again after this fix. Shouldn't that be auth.settings.table_user.password.requires.insert(0,IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)) ? On Feb 7, 1:44 pm, Jonathan Lundell jlund...@pobox.com wrote: I've got this (where the key is a text string): from gluon.tools import * auth=Auth(globals(),db) # authentication/authorization auth.settings.hmac_key = vpepm_hmac_key auth.define_tables() # creates all needed tables # invoke IS_STRONG only for password creation, not password checking if login not in request.args: auth.settings.table_user.password.requires += [IS_STRONG(min=8, max=0, upper=1, lower=1, number=1, special=1)] All my logins are failing with a bad password. I've got a sha512 hash in my user database (manually initialized), but the login form is returning an md5 hash, presumably because digest_alg is set to md5. The manual says, If a key is specified it uses the HMAC+SHA512 with the provided key, but I don't see where digest_alg is ever set to sha512. Is there a bug, or am I doing something wrong? -- You received this message because you are subscribed to the Google Groups web2py-users group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en. -- You received this message because you are subscribed to the Google Groups web2py-users group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
