On 2011-08-05 18:39 +0200, Troels Mæhl Folke wrote: > Is the secret (hardcoded?) to prevent crackers guessing the password > even though the salts are leaked?
Yeah. And yes, it is hardcoded. The only problem with using hard-coded secrets is, you can't change them ever. If you change the secret, all passwords will become invalid. Some might say it's a stupid thing to use for this reason. In most cases, if you have secured the database reasonably well, and you don't handle sensitive data, you can get away with using just salts. But then you have to be absolutely sure that attackers have no chance of dumping your database (like doing a backup over unsecure line is a no-no in this case). -- Branko Vukelic bra...@herdhound.com bg.bra...@gmail.com Lead Developer Herd Hound (tm) - Travel that doesn't bite www.herdhound.com Love coffee? You might love Loveffee, too. loveffee.appspot.com -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to webpy@googlegroups.com. To unsubscribe from this group, send email to webpy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.