On 2011-08-05 22:24 +0700, michael kapelko wrote:
> Is this reasonable or is this stupid?
> May be I should use some already-made solution?
> How do I make it really safe?
You will first generate a secret that will be stored somewhere. It
should be a longish random string.
Next you will generate a random salt (say 12 chars long) for each
password, and then you'll SHA-1 your password like so:
hashlib.sha1(web.config.secret + salt + password).hexdigest()
you then store the hexdigest AND salt in the database. Usually, you'd
store them both in the password field like so:
user_record['password'] = salt + '$' + hexdigest
Then when you want to check the password, you rehash it and then:
rehashed_pw == user_record['password'].split($)[1]
Now, to make it really safe, you also want to do the authentication over
SSH. If you want crazy-paranoid-secure you use a hardware token:
You give your user a device that will take a 8-digit number that they
get when visiting the signup page, and the device gives them a 256-digit
number that they have to type in correctly. They have to do it from a
secure bunker at an undisclosed location to which they are dropped after
being kidnapped by a bunch of gorillas (blindfolded all the way). If
they fail to enter the number correctly the first time, the bunker is
blown to pieces. If they don't enter it in 5 seconds, bunker is blown to
pieces. If they tell anyone about the bunker, site contents, or the
hardware token, they get blown to pieces along with their relatives and
anyone that had contact with the user in previous 30 days (that's an
extra insurance clause).
Of course, if you are even more paranoid, you abduct them at night,
extract any interaction intention from their brains, input them
directly into software, and shove the results back into the server. Then
you blow them into pieces.
Um... am I making any sense? Probably not.
--
Branko Vukelic
bra...@herdhound.com
bg.bra...@gmail.com
Lead Developer
Herd Hound (tm) - Travel that doesn't bite
www.herdhound.com
Love coffee? You might love Loveffee, too.
loveffee.appspot.com
--
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to webpy@googlegroups.com.
To unsubscribe from this group, send email to
webpy+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/webpy?hl=en.
