Hi Dimitry, > -----Original Message----- > From: Dmitry Vasiliev [mailto:[EMAIL PROTECTED] > > Giovannetti, Mark wrote: > > I've been researching authentication and whatnot in Zope 3 > > and was looking at the password management implementations. > > I don't like the fact that the SHA1 password manager > > doesn't use a random salt value when encoding and storing > > a password. Salts are commonly used in /etc/passwd and > > friends to eliminate the identification of passwords that > > are the same among users, as well as to make the brute > > forcing space a little larger. > > Actually I've always thought about z.a.authentication.password as a > simple reference implementation which you can use if you > don't care much > about security. However in production it always preferred to use more > secure password managers. I'm not sure we need to apply the proposed > patch but rather add note about reference implementation at > the top of > the z.a.a.password. >
You make a point, although I would expect a reference implementation to be as good as possible. Hence, improvements can be encouraged and, perhaps, the security bar raised. Adding this salt patch allows a better, more secure reference implementation. Surely, welcoming obvious improvements that will save some other zope developer from re-implementing a secure /etc/passwd equivalent is desirable. A note is likely to make the potential zope developer sigh and realize that there is more work for them to do. Don't get me wrong, I will be using LDAP in the future, but for many zope implementations, a good local passwd file is and can be secure enough for people who care about security. I do, which is why I took the time to write this patch. Anyway, I hope I've convinced you! If not, c'est la vie! Mark P.S. Python 2.5 has hashlib which supports sha224, sha256 and so forth. I may look into adding support for those hashes to password when zope has been updated for 2.5.
_______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com