So if I'm importing a csv of users into auth_user.password I'd need to use the same hmac_key to generate the passwords used in the source csv.
On Tue, Jan 4, 2011 at 8:10 PM, mdipierro <mdipie...@cs.depaul.edu> wrote: > > using a salt (token in your example) is a bit primitive and vulnerable > to cetrain attacks. > > Web2py uses hmac+md5 or hmac+sha512. > > The password can be specified by: > > auth.settings.hmac_kay='sha512:mypassword' > > which is passed to the validator > > CRYPT(hmac_key='....') > > > Massimo > > The prefix: (sha512) specifies the algorithm. > > On Jan 4, 6:31 pm, David Bain <pigeonfli...@gmail.com> wrote: > > I'm not sure how passwords are hashed in web2py. If it uses a token, where > > is it stored. > > > > I'm guessing that it uses something like this: > > > > from hashlib import md5 > > > > token = 'insecure' > > > > tokenizedHash = md5(password + token) > > > > print tokenizedHash.hexdigest()
