#818: implement site_secret in passwords
--------------------------------+-------------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: anonymous
Type: enhancement | Status: new
Priority: normal | Milestone: 1.1
Component: Identity | Version: 0.9a5
Severity: trivial | Keywords:
--------------------------------+-------------------------------------------
passwords are fine as md5/sha1, but they could be a little stronger if a
sitesecret was introduced
doing this just makes a md5('a') different between sites, which is kind of
nice as a application developer as it insulates you even more from the
chance that someone who md5'd the dictionary ( and then some ) can reverse
your account passwords
suggestion:
app.cfg
{{{
+ identity.sapprovider.site_secret = "aaaaaaa"
}}}
identity/saprovider.py
{{{
- algorithm= get( "identity.saprovider.encryption_algorithm", None
)
- if "md5"==algorithm:
- self.encrypt_password= lambda pw: md5.new(pw).hexdigest()
- elif "sha1"==algorithm:
- self.encrypt_password= lambda pw: sha.new(pw).hexdigest()
- else:
- self.encrypt_password= lambda pw: pw
+ algorithm= get( "identity.saprovider.encryption_algorithm", None
)
+ self.encrypt_password= lambda pw: md5.new("%s%s"%(pw, get(
"identity.saprovider.site_secret", None )).hexdigest()
+ elif "sha1"==algorithm:
+ self.encrypt_password= lambda pw: sha.new("%s%s"%(pw, get(
"identity.saprovider.site_secret", None )).hexdigest()
+ else:
+ self.encrypt_password= lambda pw: pw
}}}
--
Ticket URL: <http://trac.turbogears.org/turbogears/ticket/818>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Tickets" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets
-~----------~----~----~----~------~----~------~--~---
