Re: Using hashing for password checking in auth module

2009-02-01 Thread Malcolm Tredinnick
On Sun, 2009-02-01 at 01:07 -0800, Guy Rutenberg wrote: > Hi Kless, > > > On Jan 31, 7:05 pm, Kless wrote: > > > > Your method has a point of failure. Whatever can see your code JS > > (client-code), so he will know what are you making with the password > > that is sent from a form. > > > > The

Re: Using hashing for password checking in auth module

2009-02-01 Thread Kless
Hi Rutenberg, I just find anything that can be of interest for you. It's a "secure" method to login without https. Althought it isn't realy secure in comparison to https. http://www.pylucid.org/about/features/JS-SHA-Login/ On 1 feb, 09:07, Guy Rutenberg wrote: > I just wonder if Django > has

Re: Using hashing for password checking in auth module

2009-02-01 Thread Guy Rutenberg
Hi Kless, On Jan 31, 7:05 pm, Kless wrote: > > Your method has a point of failure. Whatever can see your code JS > (client-code), so he will know what are you making with the password > that is sent from a form. > > The best options are https or using HMAC-SHA1/RIPEMD160 > I've indeed referenc

Re: Using hashing for password checking in auth module

2009-01-31 Thread Kless
Rutenberg, you're correct. bcrypt is only a solution for storing the hash of passwords of secure way. In fact, it's the way more secure and easy that I've found; and it has been implemented and is being used by OpenBSD. Your method has a point of failure. Whatever can see your code JS (client-cod

Re: Using hashing for password checking in auth module

2009-01-31 Thread Guy Rutenberg
Hi Kless, Correct me if I'm wrong but bcrypt can be used as a solution for storing the passwords in the database (instead of the default sha1) but it doesn't provide the solution I'm looking for: not sending plain- text passwords in login forms. Anyway bcrypt sounds interesting, especially its ab

Re: Using hashing for password checking in auth module

2009-01-31 Thread Kless
I recommend you to use bcrypt, the password-hashing algorithm used in OpenBSD. The advantages are that it creates and manages auto. the salt for each password entered; And the most important is that it is adaptable to future processor performance improvements. http://pypi.python.org/pypi/bcryptW

Re: Using hashing for password checking in auth module

2009-01-30 Thread Guy Rutenberg
Hi Matthias, On Jan 31, 12:37 am, Matthias Julius wrote: > > > But, it doesn't help you anything.  Someone who could get a hold of a > plain text password sent over the internet could get a hashed password > just as easily.  And the server has no way of telling whether the sent > password hash c

Re: Using hashing for password checking in auth module

2009-01-30 Thread Matthias Julius
Guy Rutenberg writes: > Hi Martin, > > On Jan 30, 11:43 pm, Martin Conte Mac Donell > wrote: >> >> Actually in contrib.auth passwords are stored in SHA1. If you mean >> that passwords are sent in plain text "over the network" then you >> should use https. >> > > I meant "over the network". Whil

Re: Using hashing for password checking in auth module

2009-01-30 Thread Guy Rutenberg
Hi Martin, On Jan 30, 11:43 pm, Martin Conte Mac Donell wrote: > > Actually in contrib.auth passwords are stored in SHA1. If you mean > that passwords are sent in plain text "over the network" then you > should use https. > I meant "over the network". While https is the ideal solution security

Re: Using hashing for password checking in auth module

2009-01-30 Thread Martin Conte Mac Donell
On Fri, Jan 30, 2009 at 5:36 PM, Guy Rutenberg wrote: > I've started using Django recently and when I've used the auth module > I noticed that it only verifies a plain text password. I'm not > comfortable with this behaviour as it means that passwords have to be > sent by login forms in plain tex