That's a subject which comes up every few months, sadly.
In a nutshell, if something requires python >= 2.5 or a lib for older
versions of Python, forget about adding it.
See f. e. http://code.djangoproject.com/ticket/5600 which was closed as
a no-fix 3 years ago (full disclosure: I'm coh in that bug report).
There was also a discussion on this mailing list a few weeks ago about
increasing the salt length, but afaik it had no code-change as a result.
I apologize if I sound a bit grumpy, but I've spend the last 5 days with
monkey-patching a local branch of the auth lib up to the latest in
security (SHA512, 128-bit salt, pre-stretching, pbkdf2, stronger random
token generation (salt, csrf, default-password)), now it spreads into
other areas of the django-lib as well (currently SECRET_KEY in the
starproject script).
Of course I would very much welcome such a proposal, yet I just believe
the odds for it to happen are (very) low.
Cheers,
coh
On 02/11/2011 06:59 AM, William Ratcliff wrote:
Hi! I'm new to the list and have started to look into authentication.
I find that I will need to patch it for my own needs, but would like
to ask the opinions of others who are more familiar with the code-base
than I am. I apologize if I make any mistakes in the protocol of the
list in matters such as including too much code.
SHA1 is not secure. This is not a nationalism issue. For example:
http://www.darknet.org.uk/2010/11/sha-1-password-hashes-cracked-using-amazon-ec2-gpu-cloud/
--
You received this message because you are subscribed to the Google Groups "Django
developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
