1. Marcin Kuzminski
  2. RhodeCode
  3. Issues

Issues

Issue #25 resolved

auth.py depends on crypt

slestak
created an issue

This prevents an install on non-unix systems. Talked with pylons crew and got a suggestion to use bcrypt.

In pypi, i see 3-4 bcrypt wrappers. I can send a patch if you like but wanted to touch base before monkeypatching.

Comments (10)

  1. Marcin Kuzminski repo owner

    I'd rather write my own hashing function based on sha1 (mixing hashes would be very secure) than use bcypt. I tried py-bcrypt and it might be very secure buy crypting speed for me was unacceptable. But we're talking about crypt here so I'll for sure change crypt function to some custom hashlib based solution.

  2. slestak reporter

    Is it advisable to clone teh default branch into an hg-app dir residing in my virtualenv? Not sure how to update hg-app as you develop.

  3. Anonymous

    I'm one of the people slestak has been talking with. If, after reading those links, you still don't want to use bcrypt, please use the hmac library in the stdlib instead of hashlib directly. It'd be best to use hmac with a random key for each password, which you store with the hashed password, but even a fixed key would be better than the current homebrew situation, which is vulnerable to rainbow tables.

  4. Marcin Kuzminski repo owner

    Thank's for feedback, after reading it, i decided to go with bcrypt, crypting with bcrypt.gensalt(10) is reasonable fast.

    About the working with latest version i recommend clone of the hg-app from bb, and do updates from the repository. One disadvantage is that, the db models aren't stable so it's often requirement to rebuild the database.

    Regards

  5. Log in to comment