Re: [Zope3-dev] SHA1Password manager, add a pinch of salt

2007-04-25 Thread Dmitry Vasiliev 

Giovannetti, Mark wrote:
From: Dmitry Vasiliev [mailto:[EMAIL PROTECTED] 


Slices doesn't wrap around.


Right, this was what I was seeing/thinking about:


for i in range(41): print i, ' + password[:i-40] + '

[skip]

Can't really call it wrap around, I guess.
 
Anyway:  


def checkPassword(self, storedPassword, password):
salt = storedPassword[:max(0, len(storedPassword)-40)]
return storedPassword == self.encodePassword(password, salt)
With Python you can do things as simply as possible. :-) The 
expression

storedPassword[:-40] (which is equivalent to
storedPassword[:len(storedPassword)-40]) does exactly what you want:

  password[:-40]
''


Keeping it simple is often the best way.  Given the above, in order
to ensure a blank salt with a password less than 40 characters,
keeping it simple may not suffice.


I think in the example above you're testing for wrong use case since we 
use constant slice index, the following example explains what I mean:


 hash = 123456789
 while hash:
... print (hash[:-4], hash[-4:])
... hash = hash[1:]
...
('12345', '6789')
('2345', '6789')
('345', '6789')
('45', '6789')
('5', '6789')
('', '6789')
('', '789')
('', '89')
('', '9')

--
Dmitry Vasiliev dima at hlabs.spb.ru
http://hlabs.spb.ru
___
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Re: [Zope3-dev] SHA1Password manager, add a pinch of salt

2007-04-23 Thread Benji York 

Giovannetti, Mark wrote:

I like that update.  However, it would fail authentication on
stored lengths less than 40.  Yes, I know that a length less than
40 would mean an anomalous stored password, but at least we 
guarantee a blank '' salt, rather than the possibility of getting
some of the last hex digits of the stored password due to 
list wrap around.  Might make debugging a problem just a little 
easier, you never know.


How about putting the salt on the end of the stored value.  Then 
fetching the salt would look like this:


salt = storedPassword[40:]

That way if the stored value was less than 40 characters, the salt would 
be the empty string.

--
Benji York
Senior Software Engineer
Zope Corporation
___
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Re: [Zope3-dev] SHA1Password manager, add a pinch of salt

2007-04-23 Thread Gary Poster 


On Apr 23, 2007, at 12:03 PM, Giovannetti, Mark wrote:


You make a point, although I would expect a reference
implementation to be as good as possible.  Hence, improvements
can be encouraged and, perhaps, the security bar raised.
Adding this salt patch allows a better, more secure reference
implementation.

Surely, welcoming obvious improvements that will save some
other zope developer from re-implementing a secure /etc/passwd
equivalent is desirable.


+1

Gary

___
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com