The logic is very complex because it needs to deal with many options and
not-break backward compatibility.
Normally an encrypted password looks like
algorithm$salt$hash
algorithm$$hash (no salt)
hash (legacy)
the hash is computing using the algorithm, the salt, and optionally a user
provided key. The key is unique. The salt is different for each password.
Every time you call CRYPT()('password') you get a LazyCrypt object. This
object can be serialized into a string. The string you get is always
different because it contains a random salt. You cannot compare two of
those strings because you always get false, even for the same password. Yet
you can compare a LazyObject with a string and the lazy object will use the
same algorithm and the same salt from the string to compute the hash and
compare it with the hash in the string. Example:
>>> a = CRYPT()('password')
>>> b = CRYPT()('password')
>>> sa = str(a)
>>> sb = str(b)
>>> sa == sb
False
>>> a == sb
True
>>> c = CRYPT()('wrong')
>>> c == sb
False
This allows you to change the rules for hashing new password (change the
algorithm and its parameters) but never break existing stored hashes.
There is a long and old discussion thread about this on
web2py-developers:
https://groups.google.com/forum/?fromgroups=#!searchin/web2py-developers/salt/web2py-developers/dKYUuuMrtO8/djOEB9QRdeoJ
hope this helps.
On Thursday, 31 January 2013 01:53:46 UTC-6, Hassan Alnatour wrote:
>
> Dear ALL ,
>
> How can i find the salt used in web2py to encrypt the passwords ?
>
now as i understand if i want to encrypt the password manually i need to do
> it like this ?
> CRYPT(digest_alg='md5',key='mykey',salt=True)
>
> is this correct , am a bit lost !! i need to understand how can i do the
> same password encryption done to the passwords in the auth_user
> table manually ?
>
> Best Regards ,
>
>
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
