Reading the code in gluon/validators > class CRYPT(). It looks like the default approach is hmac using md5 as the algorithm.
Below is a tiny snippet of code that will generate password hashes that match the current default behaviour of the web2py admin application: note: by default the hmac_key is is the literal ascii string "<your secret key>", if you change the hmac_key this will break. from hashlib import md5 import hmac hmac_key = '<your secret key>' password = 'insecure' thehash = hmac.new(hmac_key, password).hexdigest() print thehash On Tue, Jan 4, 2011 at 8:13 PM, David Bain <pigeonfli...@gmail.com> wrote: > So if I'm importing a csv of users into auth_user.password I'd need to > use the same hmac_key to generate the passwords used in the source > csv. > > On Tue, Jan 4, 2011 at 8:10 PM, mdipierro <mdipie...@cs.depaul.edu> wrote: >> >> using a salt (token in your example) is a bit primitive and vulnerable >> to cetrain attacks. >> >> Web2py uses hmac+md5 or hmac+sha512. >> >> The password can be specified by: >> >> auth.settings.hmac_kay='sha512:mypassword' >> >> which is passed to the validator >> >> CRYPT(hmac_key='....') >> >> >> Massimo >> >> The prefix: (sha512) specifies the algorithm. >> >> On Jan 4, 6:31 pm, David Bain <pigeonfli...@gmail.com> wrote: >> > I'm not sure how passwords are hashed in web2py. If it uses a token, where >> > is it stored. >> > >> > I'm guessing that it uses something like this: >> > >> > from hashlib import md5 >> > >> > token = 'insecure' >> > >> > tokenizedHash = md5(password + token) >> > >> > print tokenizedHash.hexdigest() >
