you can already do CRYPT(digest_alg='sha512') or any other OpenSSL supported algorithm.
but yes... there should be a good balance between all relevant values for web2py project, I mean, a solid name on security is at least as important as an extreme "backward compatibility" record (if this is really the case, because I don't even think this is a matter of backward compatibility just something that should be fixed). Else, we get stalled by errors in the past. On Jul 31, 4:38 am, Jonathan Lundell <jlund...@pobox.com> wrote: > On Jul 30, 2009, at 8:30 PM, Bottiger wrote: > > > > > I know you have the mantra of not breaking backwards compatibility, > > but it is a pretty bad idea to have unsalted MD5 passwords. > > > For example, let's say your password is "massimo". The MD5 hash of > > that happens to be "8cac5ac44b51f182143a43c4cdb6c4ac". > > > Even forgetting rainbow tables, you can simply do a search for it on > > Google and you have 10+ pages telling you that it is the hash for > > "massimo". > > How about a new validator that does the right thing, and deprecating > CRYPT? > > I'd prefer some less-predictable salt than the suggestion below, > though. How about the old Unix passwd trick of choosing a some random > salt, and appending the salt in plaintext to the hash? > > > > > > >http://www.google.com/search?q=8cac5ac44b51f182143a43c4cdb6c4ac > > > On Jul 30, 8:10 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > >> We cannot break backward compatibility. People should specify a key > >> and use the HMAC+SHA512 anyway. > > >> Massimo > > >> On Jul 30, 9:49 pm, Bottiger <bottig...@gmail.com> wrote: > > >>> The CRYPT validator is unsecure because it uses unsalted MD5. > > >>> There are public rainbow tables that have unsalted MD5 passwords > >>> of up > >>> to 10 characters long including symbols. > > >>> I highly recommend that if no "key" is specified, that CRYPT will > >>> automatically salt the password based on a substring of the password > >>> itself. For example: > > >>> password = "secretpass" > >>> hash = md5(password+password[-1]) > > >>> This will of course break backward compatibility, but this is a real > >>> security vulnerability. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
