So I was having a bit of confusion over the method that django uses to protect passwords. The issues I had was that It seen unsecured to have the salt publicly available in the database since anyone who gets hold of the database would know the salt. After rereading the django book and doing some additional research I discovered that this method was particularly targeted at rainbow tables attacks and is indeed view by many as a better option than a system wide hidden salt.
However I'm a bit curious about the significance of adding a second salt to the password before it is hashed and then using the regular per-user salt. Currently my opinion is that their is added benefit since it make dictionary attacks more challenging and possibly almost impossibly if the attacker does not know the hidden salt. Django has a secretKey in the setting file I wondering why this could not have been used as second salt in the authentication system. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
