On Aug 1, 8:52 pm, Marco Mariani <[EMAIL PROTECTED]> wrote: > This is not encryption. > Please, please have an idea of what a hash function is, before deploying > serious web applications :-))
Uncalled for. The vast majority of web developers have no idea what a hash function is, and have no need to know. That's why identity Just Works. The day people need to be encryption experts to deploy a "serious" turbogears application is the day we've failed. I highly recommend people learn crypto, purely for good coverage, but it isn't - and shouldn't be - necessary. That said, we should also be detailing the reasons why a one-way hash is normally used for passwords. The basic reasons are: 1. If someone steals your database, the passwords of your users are not compromised 2. many users use the same username and password everywhere. A one-way hash keeps you from abusing this on a whim. 3. a one-way hash allows arbitrarily long passphrases without requiring a long field to store it in. Developers should think carefully about their reasons before using anything else for password storage. A common situation where the above do not apply is when you are storing the password for use against an external webservice. In this instance you need the plaintext to work with, whether by simple storage or via the encryption routines I outlined in my previous post. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
