Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
pylons-devel
Home
+ new post
About this group
Join this group
Message from discussion AuthTktAuthenticationPolicy using MD5
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Domen Kožar  
View profile  
 More options Sep 21 2012, 1:54 pm
From: Domen Kožar <do...@dev.si>
Date: Fri, 21 Sep 2012 19:54:34 +0200
Local: Fri, Sep 21 2012 1:54 pm
Subject: Re: AuthTktAuthenticationPolicy using MD5
Print | View thread | Show original | Report this message | Find messages by this author

For generating secrets it's important to discourage usage of random module,
but use something like:

    secret = ''.join('%02x' % ord(x) for x in os.urandom(128))

On Fri, Sep 21, 2012 at 7:50 PM, Jonathan Vanasco <jonat...@findmeon.com>wrote:

> Additionally you could provide help on how to generate such a secret (but
>> that's extra candy). I have looked through various parts of the
>> documentation and it is always set to something like 'seekrit' and similar,
>> but it is never mentioned how to make sure that this is secure.

> fwiw, wordpress has had this feature for a while: the docs instruct you to
> visit the following url , which generates valid secret strings.
>      http://api.wordpress.org/secret-key/1.1/

> i think most of the application scaffolds will generate a secret - but it
> might be useful feature to just have a secret-key generator on the
> pylonsproject.org site and referenced in the docs.

> I've also generally disliked the mod_authtkt for a few years. i've opted
> for an approach where the secret rotates based on the timestamp and/or
> ip/other data.  it's a bit harder to set up in a clustered environment, but
> the tickets are HMAC with SHA512 with rotating keys.  it doesn't make it
> unbreakable, but just a bit more of pain to break and with some sort of
> timed window before you need to break it again.

> --
> You received this message because you are subscribed to the Google Groups
> "pylons-devel" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/pylons-devel/-/4dxNXUSoAPAJ.

> To post to this group, send email to pylons-devel@googlegroups.com.
> To unsubscribe from this group, send email to
> pylons-devel+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pylons-devel?hl=en.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google