On Sun, 2009-02-01 at 01:07 -0800, Guy Rutenberg wrote:
> Hi Kless,
>
>
> On Jan 31, 7:05 pm, Kless wrote:
> >
> > Your method has a point of failure. Whatever can see your code JS
> > (client-code), so he will know what are you making with the password
> > that is sent from a form.
> >
> > The
Hi Rutenberg,
I just find anything that can be of interest for you. It's a "secure"
method to login without https. Althought it isn't realy secure in
comparison to https.
http://www.pylucid.org/about/features/JS-SHA-Login/
On 1 feb, 09:07, Guy Rutenberg wrote:
> I just wonder if Django
> has
Hi Kless,
On Jan 31, 7:05 pm, Kless wrote:
>
> Your method has a point of failure. Whatever can see your code JS
> (client-code), so he will know what are you making with the password
> that is sent from a form.
>
> The best options are https or using HMAC-SHA1/RIPEMD160
>
I've indeed referenc
Rutenberg, you're correct. bcrypt is only a solution for storing the
hash of passwords of secure way. In fact, it's the way more secure and
easy that I've found; and it has been implemented and is being used by
OpenBSD.
Your method has a point of failure. Whatever can see your code JS
(client-cod
Hi Kless,
Correct me if I'm wrong but bcrypt can be used as a solution for
storing the passwords in the database (instead of the default sha1)
but it doesn't provide the solution I'm looking for: not sending plain-
text passwords in login forms. Anyway bcrypt sounds interesting,
especially its ab
I recommend you to use bcrypt, the password-hashing algorithm used in
OpenBSD.
The advantages are that it creates and manages auto. the salt for each
password entered; And the most important is that it is adaptable to
future processor performance improvements.
http://pypi.python.org/pypi/bcryptW
Hi Matthias,
On Jan 31, 12:37 am, Matthias Julius wrote:
>
>
> But, it doesn't help you anything. Someone who could get a hold of a
> plain text password sent over the internet could get a hashed password
> just as easily. And the server has no way of telling whether the sent
> password hash c
Guy Rutenberg writes:
> Hi Martin,
>
> On Jan 30, 11:43 pm, Martin Conte Mac Donell
> wrote:
>>
>> Actually in contrib.auth passwords are stored in SHA1. If you mean
>> that passwords are sent in plain text "over the network" then you
>> should use https.
>>
>
> I meant "over the network". Whil
Hi Martin,
On Jan 30, 11:43 pm, Martin Conte Mac Donell
wrote:
>
> Actually in contrib.auth passwords are stored in SHA1. If you mean
> that passwords are sent in plain text "over the network" then you
> should use https.
>
I meant "over the network". While https is the ideal solution security
On Fri, Jan 30, 2009 at 5:36 PM, Guy Rutenberg wrote:
> I've started using Django recently and when I've used the auth module
> I noticed that it only verifies a plain text password. I'm not
> comfortable with this behaviour as it means that passwords have to be
> sent by login forms in plain tex
10 matches
Mail list logo