Re: [Zope3-dev] SHA1Password manager, add a pinch of salt

Sat, 21 Apr 2007 00:29:19 -0700 

On 4/20/07, Giovannetti, Mark <[EMAIL PROTECTED]> wrote:

+    def checkPassword(self, storedPassword, password):
+        if len(storedPassword) == 48:
+            salt = storedPassword[0:8]
+        else:
+            salt = ''
+        return storedPassword == self.encodePassword(password, salt)


Because you allow the passing in of an arbirtary salt on encoding, you
should either check the salt length on encoding (ensuring len 8) or,
better, do the following:

   def checkPassword(self, storedPassword, password):
       salt = storedPassword[:len(storedPassword)-40]
       return storedPassword == self.encodePassword(password, salt)

That'll capture any salt length as the sha.hexdigest output is always
40 characters long.

--
Martijn Pieters
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com























					Reply via email to