Re: [Zope3-dev] SHA1Password manager, add a pinch of salt
Giovannetti, Mark wrote: From: Dmitry Vasiliev [mailto:[EMAIL PROTECTED] Slices doesn't wrap around. Right, this was what I was seeing/thinking about: for i in range(41): print i, ' + password[:i-40] + ' [skip] Can't really call it wrap around, I guess. Anyway: def checkPassword(self, storedPassword, password): salt = storedPassword[:max(0, len(storedPassword)-40)] return storedPassword == self.encodePassword(password, salt) With Python you can do things as simply as possible. :-) The expression storedPassword[:-40] (which is equivalent to storedPassword[:len(storedPassword)-40]) does exactly what you want: password[:-40] '' Keeping it simple is often the best way. Given the above, in order to ensure a blank salt with a password less than 40 characters, keeping it simple may not suffice. I think in the example above you're testing for wrong use case since we use constant slice index, the following example explains what I mean: hash = 123456789 while hash: ... print (hash[:-4], hash[-4:]) ... hash = hash[1:] ... ('12345', '6789') ('2345', '6789') ('345', '6789') ('45', '6789') ('5', '6789') ('', '6789') ('', '789') ('', '89') ('', '9') -- Dmitry Vasiliev dima at hlabs.spb.ru http://hlabs.spb.ru ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
Re: [Zope3-dev] SHA1Password manager, add a pinch of salt
Giovannetti, Mark wrote: I like that update. However, it would fail authentication on stored lengths less than 40. Yes, I know that a length less than 40 would mean an anomalous stored password, but at least we guarantee a blank '' salt, rather than the possibility of getting some of the last hex digits of the stored password due to list wrap around. Might make debugging a problem just a little easier, you never know. How about putting the salt on the end of the stored value. Then fetching the salt would look like this: salt = storedPassword[40:] That way if the stored value was less than 40 characters, the salt would be the empty string. -- Benji York Senior Software Engineer Zope Corporation ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
Re: [Zope3-dev] SHA1Password manager, add a pinch of salt
On Apr 23, 2007, at 12:03 PM, Giovannetti, Mark wrote: You make a point, although I would expect a reference implementation to be as good as possible. Hence, improvements can be encouraged and, perhaps, the security bar raised. Adding this salt patch allows a better, more secure reference implementation. Surely, welcoming obvious improvements that will save some other zope developer from re-implementing a secure /etc/passwd equivalent is desirable. +1 Gary ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com