On Tuesday, July 20, 2010 2:23:52 PM UTC-4, Craig Younkins wrote:
>
> Maybe. The issue in my mind with bcrypt and scrypt is that they are not
> validated by NIST or NSA, unlike SHA-2. Blowfish was examined by NIST for
> the AES competition but to my knowledge the use of hashing has not been.
> S
On Tue, Jul 20, 2010 at 12:09 PM, Jacob Kaplan-Moss wrote:
> On Tue, Jul 20, 2010 at 8:41 AM, Craig Younkins
> wrote:
> > I'm very glad you don't have MD5 as the default. SHA-1 (currently
> employed)
> > is acceptable for now, but at this point there are theoretical attacks
> that
> > can find co
Hey Craig --
Thanks for the notes - this is good stuff!
On Tue, Jul 20, 2010 at 8:41 AM, Craig Younkins wrote:
> I'm very glad you don't have MD5 as the default. SHA-1 (currently employed)
> is acceptable for now, but at this point there are theoretical attacks that
> can find collisions in time
Please note this email does not include or indicate a specific, immediately
viable flaw.
I'm doing a brief analysis of the contrib.auth system:
http://www.pythonsecurity.org/wiki/django/#authentication . I have a couple
of notes that I'd like to share with you.
- I'm very glad you don't have M
