On Aug 2, 2009, at 12:24 PM, mdipierro wrote: > > But if there is a default key than everybody knows the default key. > What's the point? The key has to be passed and has to be unique for > every app.
The point is that the resulting hashes aren't in publicly available precomputed rainbow tables. And the default key could be something like: key='change this key to something application-specific!' Better than unsalted MD5, and an easy-to-comply-with nudge to the developer. (Query: are SHAx HMAC keys arbitrary byte strings, or are they restricted in some way?) > > On Aug 2, 1:52 pm, Fran <francisb...@googlemail.com> wrote: >> On Aug 2, 7:41 pm, Jonathan Lundell <jlund...@pobox.com> wrote: >> >>> Then let's make this the default, with a default key. >> >> +1 >> An easy way to add /some/ security (i.e. helps against attacks which >> don't know about web2py) & if this is int he scaffolding app, then it >> makes it clearer that this is a change people should make in their >> own >> code... >> >> F --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
