On Jul 31, 2009, at 12:19 AM, Fran wrote: > On Jul 31, 4:10 am, mdipierro <mdipie...@cs.depaul.edu> wrote: >> We cannot break backward compatibility. People should specify a key >> and use the HMAC+SHA512 anyway. > > Currently the default auth_user table just has: > table[passfield].requires = [CRYPT()] > > So *all* instances should amend that, right? > > This should be in the scaffolding app & very clear in the docs: > http://web2py.com/examples/default/tools#authentication > new manual (chapter 8)
It wouldn't be extraordinarily difficult to migrate an existing MD5- hashed password table to a stronger method. Suppose we could specify two hash functions, CRYPT() and STRONGCRYPT(). When validating a password, we try both, but when hashing a new password we always use STRONGCRYPT(). If we validate an entered password with CRYPT(), then we update it immediately with STRONGCRYPT(), which we can do because we have the (validated) plaintext password. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
