Is the secret (hardcoded?) to prevent crackers guessing the password even though the salts are leaked?
2011/8/5 Branko Vukelić <bg.bra...@gmail.com> > On 2011-08-05 22:24 +0700, michael kapelko wrote: > > Is this reasonable or is this stupid? > > May be I should use some already-made solution? > > How do I make it really safe? > > You will first generate a secret that will be stored somewhere. It > should be a longish random string. > > Next you will generate a random salt (say 12 chars long) for each > password, and then you'll SHA-1 your password like so: > > hashlib.sha1(web.config.secret + salt + password).hexdigest() > > you then store the hexdigest AND salt in the database. Usually, you'd > store them both in the password field like so: > > user_record['password'] = salt + '$' + hexdigest > > Then when you want to check the password, you rehash it and then: > > rehashed_pw == user_record['password'].split($)[1] > > Now, to make it really safe, you also want to do the authentication over > SSH. If you want crazy-paranoid-secure you use a hardware token: > > You give your user a device that will take a 8-digit number that they > get when visiting the signup page, and the device gives them a 256-digit > number that they have to type in correctly. They have to do it from a > secure bunker at an undisclosed location to which they are dropped after > being kidnapped by a bunch of gorillas (blindfolded all the way). If > they fail to enter the number correctly the first time, the bunker is > blown to pieces. If they don't enter it in 5 seconds, bunker is blown to > pieces. If they tell anyone about the bunker, site contents, or the > hardware token, they get blown to pieces along with their relatives and > anyone that had contact with the user in previous 30 days (that's an > extra insurance clause). > > Of course, if you are even more paranoid, you abduct them at night, > extract any interaction intention from their brains, input them > directly into software, and shove the results back into the server. Then > you blow them into pieces. > > Um... am I making any sense? Probably not. > > > -- > Branko Vukelic > bra...@herdhound.com > bg.bra...@gmail.com > > Lead Developer > Herd Hound (tm) - Travel that doesn't bite > www.herdhound.com > > Love coffee? You might love Loveffee, too. > loveffee.appspot.com > > -- > You received this message because you are subscribed to the Google Groups > "web.py" group. > To post to this group, send email to webpy@googlegroups.com. > To unsubscribe from this group, send email to > webpy+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/webpy?hl=en. > > -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to webpy@googlegroups.com. To unsubscribe from this group, send email to webpy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
