Wow--you're ahead of me! Is your custom auth public source? If so, may I see the repo? Also, for increasing the length of the salt, are you referring to: http://code.djangoproject.com/attachment/ticket/13969/better_salting.diff
<http://code.djangoproject.com/attachment/ticket/13969/better_salting.diff>I thought it was marked as accepted. But I just checked out SVN and you are correct that it is not using gen_salt. Does anyone know when it will be included? Thanks, William On Fri, Feb 11, 2011 at 9:50 AM, Clemens-O. Hoppe < clemens.o.ho...@googlemail.com> wrote: > That's a subject which comes up every few months, sadly. > > In a nutshell, if something requires python >= 2.5 or a lib for older > versions of Python, forget about adding it. > > See f. e. http://code.djangoproject.com/ticket/5600 which was closed as a > no-fix 3 years ago (full disclosure: I'm coh in that bug report). There was > also a discussion on this mailing list a few weeks ago about increasing the > salt length, but afaik it had no code-change as a result. > > I apologize if I sound a bit grumpy, but I've spend the last 5 days with > monkey-patching a local branch of the auth lib up to the latest in security > (SHA512, 128-bit salt, pre-stretching, pbkdf2, stronger random token > generation (salt, csrf, default-password)), now it spreads into other areas > of the django-lib as well (currently SECRET_KEY in the starproject script). > > Of course I would very much welcome such a proposal, yet I just believe the > odds for it to happen are (very) low. > > Cheers, > > coh > > > On 02/11/2011 06:59 AM, William Ratcliff wrote: > > Hi! I'm new to the list and have started to look into authentication. I >> find that I will need to patch it for my own needs, but would like to ask >> the opinions of others who are more familiar with the code-base than I am. >> I apologize if I make any mistakes in the protocol of the list in matters >> such as including too much code. >> >> SHA1 is not secure. This is not a nationalism issue. For example: >> >> http://www.darknet.org.uk/2010/11/sha-1-password-hashes-cracked-using-amazon-ec2-gpu-cloud/ >> > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
