thanks anthony, as expected, from web2py, the crypt algorithm is secure (not just simple step to store the sensitive one), i'll try your second advice (using web2py as cas provider) first, because it simple than the first advice.
thanks and best regards, stifan On Saturday, May 19, 2018 at 3:36:59 AM UTC+7, Anthony wrote: > > Note, you might also consider exposing web2py as a CAS provider > <http://web2py.com/books/default/chapter/29/09/access-control#Central-Authentication-Service> > to > your other apps, letting web2py handle all the authentication logic. > > On Friday, May 18, 2018 at 3:05:33 PM UTC-4, Anthony wrote: >> >> Here is the code the compares a plain text password to the stored hashed >> password: >> https://github.com/web2py/web2py/blob/4ed36cfb1fe960d5c818c53562d920d407e991ae/gluon/validators.py#L2919-L2922 >> >> The salt and the digest algorithm name and parameters are stored in a >> string combined with the hash. The above linked code extracts the salt, >> digest algorithm, and hash stored in the database. It then uses the salt >> and digest algorithm info to hash the plain text password in order to >> determine if it is the same as the stored hash. >> >> To hash the password, it calls simple_hash >> <https://github.com/web2py/web2py/blob/4ed36cfb1fe960d5c818c53562d920d407e991ae/gluon/utils.py#L116> >> >> in gluon.utils. You can review that code to figure out how the hashing >> is done. >> >> As seen here >> <https://github.com/web2py/web2py/blob/4ed36cfb1fe960d5c818c53562d920d407e991ae/gluon/validators.py#L3017>, >> >> the default digest algorithm used by CRYPT (and ultimately passed to >> simple_hash) is pbkdf2(1000,20,sha512), so unless you have changed the >> default, that is what you should use. >> >> You'll have to figure out how to replicate the hashing process in >> whatever language you are using, though the algorithms are standard, so >> hopefully that will be fairly straightforward. >> >> Anthony >> >> On Friday, May 18, 2018 at 11:34:24 AM UTC-4, 黄祥 wrote: >>> >>> *objective:* >>> use database that built using web2py in another app, like php slim >>> framework, express js or restify, since that frameworks didn't need to >>> define the models database. >>> >>> *problem:* >>> don't know how to use the auth_user table for login in another app, >>> because the password field is not clear how to store it in database table >>> >>> *learn from the book:* >>> By default, CRYPT uses 1000 iterations of the pbkdf2 algorithm combined >>> with SHA512 to produce a 20-byte-long hash. >>> *ref:* >>> http://web2py.com/books/default/chapter/29/07/forms-and-validators >>> >>> *question:* >>> what is the crypt module used by web2py to encrypt password field, >>> because the book said 1000 iterations of the pbkdf2 algorithm combined with >>> SHA512 to produce a 20-byte-long hash, not sure i understand the meaning? >>> >>> thanks and best regards, >>> stifan >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
