We cannot break backward compatibility. People should specify a key and use the HMAC+SHA512 anyway.
Massimo On Jul 30, 9:49 pm, Bottiger <bottig...@gmail.com> wrote: > The CRYPT validator is unsecure because it uses unsalted MD5. > > There are public rainbow tables that have unsalted MD5 passwords of up > to 10 characters long including symbols. > > I highly recommend that if no "key" is specified, that CRYPT will > automatically salt the password based on a substring of the password > itself. For example: > > password = "secretpass" > hash = md5(password+password[-1]) > > This will of course break backward compatibility, but this is a real > security vulnerability. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---