On Jul 31, 2009, at 8:07 AM, Julio wrote: > On Jul 31, 1:19 am, Jonathan Lundell <jlund...@pobox.com> wrote: >> >> I'm suggesting (sticking with md5 for comparability): >> >> md5(password+random)+random >> >> ...where random is randomly chosen for each new password. >> >> You're suggesting? > > How can you hash a password with a "random" salt??, the whole purpose > for the authentication logic is to be able to recreate the hash in > order to compare against what is stored in the database?, under this > premise let's scrap the entire hashing issue and just set the > passwords to str(random.random())[2:] or am I missing something here?
You're missing something. From my earlier post, you create the password thus (I've added a separator byte for convenience): passwd = "Hello World" salt = random.randint(1, 1000000).str hashed_pwd = hashlib.md5(passwd+salt).hexdigest()+":"+salt To check the password, retrieve the user's hashed_pwd from the user db, split it on ":" to retrieve the salt, append it to the password to be checked, and compare the hash of the result to the hash part of the split. (I've used randint.str as a simple example; in practice you'd use a more dense representation, and while you're at it you'd use a better hash than md5.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
