or better auth.hmac_key_auto()
which would gererate a random key store it in private/hmac.key and retrieve it when needed. On Aug 2, 3:19 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > OK. Here is a proposal then. > > The only place where CRYPT is used in the scaffolding app is in Auth. > Let's allows a new > > auth.settings.hmac_key=None > > set to None by default in Auth (not not break backward compatility) > but let's add a new line to welcome/models/db.py > > auth.settings.hmac_key='change this line' > > So that new apps use HMAC. This will not requires migrations and just > three lines changes. Would it satisfy you? > > Massimo > > On Aug 2, 2:45 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > > > On Aug 2, 2009, at 12:24 PM, mdipierro wrote: > > > > But if there is a default key than everybody knows the default key. > > > What's the point? The key has to be passed and has to be unique for > > > every app. > > > The point is that the resulting hashes aren't in publicly available > > precomputed rainbow tables. > > > And the default key could be something like: key='change this key to > > something application-specific!' > > > Better than unsalted MD5, and an easy-to-comply-with nudge to the > > developer. > > > (Query: are SHAx HMAC keys arbitrary byte strings, or are they > > restricted in some way?) > > > > On Aug 2, 1:52 pm, Fran <francisb...@googlemail.com> wrote: > > >> On Aug 2, 7:41 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > > > >>> Then let's make this the default, with a default key. > > > >> +1 > > >> An easy way to add /some/ security (i.e. helps against attacks which > > >> don't know about web2py) & if this is int he scaffolding app, then it > > >> makes it clearer that this is a change people should make in their > > >> own > > >> code... > > > >> F --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
