On 12 June 2014 23:59, Sean Dague <s...@dague.net> wrote: > The only thing it makes harder is you have to generate your own token to > run the curl command. The rest is there. Because everyone is running our > servers at debug levels, it means the clients are going to be running > debug level as well (yay python logging!), so this is something I don't > think people realized was a huge issue. > >> Anyway I have sent a patch for swiftclient for this in : >> >> https://review.openstack.org/#/c/99632/1 >> >> Personally I don't think I like much that SHA1 and i'd rather use the >> first 16 bytes of the token (like we did in swift server) > > Using a well known hash means you can verify it was the right thing if > you have access to the original data. Just taking the first 16 bytes > doesn't give you that, so I think the hash provides slightly more > debugability.
Would it be possible to salt it? e.g. make a 128bit salt and use that. The same token used twice will log with the same salt, but you won't have the rainbow table weakness. The length of tokens isn't a particularly strong defense against rainbow tables AIUI: if folk realise we have tokens exposed, they will just use a botnet to build a table specifically targetting us. -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Converged Cloud _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
