I understand all the concerns. for new users let me clarify once more what the issue is:
1) if you use Field(....,'password',requires=CRYPT()) the password is stored encrypted using MD5 2) if you use Field(....,'password',requires=CRYPT(key='yourkey')) the password is stored encrypted using HMAC+SHA512 2) is much much more secure than 1. Some users want to make 2) the default instead of 1). Problems: a) You still need to pass a key to CRYPT b) It will break backward compatibility unless data is converted c) We cannot easily convert the data without human intervention. The problem with collisions is not really important for short strings like passwords. So SHA512 in itself is not worse than MD5 in this case. The difference is HMAC or not HMAC. In fact, if attacker gets access to the databases in the non-HMAC case he may be able to derive passwords using a look-up table. In the HMAC case this will be more difficult. Since to use HMAC you need to hardcode an app password in the app and pass it to CRYPT I do not see why any change in the code would be necessary. Massimo On Aug 1, 1:18 am, Bottiger <bottig...@gmail.com> wrote: > Yes the software is there, but the hardware is a completely different > matter. > > On Jul 31, 11:15 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > > > On Jul 31, 2009, at 11:11 PM, Bottiger wrote: > > > > 2. Attackers will specifically target Web2Py's deterministic algorithm > > > with a custom rainbow table. > > > > This is a possibility, but it is not a big one. First of all, even > > > with md5, generating tables is not something the average script kiddie > > > can do. > > > Google: rainbow table generator kit > > >http://www.google.com/search?hl=en&safe=off&q=rainbow+table+generator... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
