Password Generator
Tim
Admin except for creating new users because it's difficult to create
passwords. Is there anyone out there interested in building a "Django
Password Generator" -- a utility to create the string for inserting new
users?
It would be a great way to attract some visitors to a new project, for
example. ;-)
Scott McCracken
Django admin interface. According to the Django documentation "We've
added extra security to the stored passwords in Django's authentication
system. Thanks to a patch from GomoX, passwords are now stored with a
salt and use SHA-1 encryption instead of MD5."
If anyone could shed some light on a SHA-1 password generator it would
be much appreciated. Thanks!
Malcolm Tredinnick
To quote from mail I sent to this list just yesterday:
"To create this string from the raw password, you have to use
some code like that found in
django.contrib.auth.models.User.setpassword() (you can't use
that code precisely, because it is designed to work with a user
object)."
Malcolm
Felix Ingram
This is the code from setpassword():
def set_password(self, raw_password):
import sha, random
algo = 'sha1'
salt = sha.new(str(random.random())).hexdigest()[:5]
hsh = sha.new(salt+raw_password).hexdigest()
self.password = '%s$%s$%s' % (algo, salt, hsh)
So whack the following into a script or type it into a interactive session
import sha, random
raw_password = <PUT YOUR PASSWORD HERE (Don't leave it in clear in a
script though)>
algo = 'sha1'
salt = sha.new(str(random.random())).hexdigest()[:5]
hsh = sha.new(salt+raw_password).hexdigest()
print "%s$%s$%s" % (algo, salt, hsh)
Hope that helps,
F.
Felix Ingram
> On 7/12/06, Malcolm Tredinnick <mal...@pointy-stick.com> wrote:
<snip>
> So whack the following into a script or type it into a interactive session
>
> import sha, random
> raw_password = <PUT YOUR PASSWORD HERE (Don't leave it in clear in a
> script though)>
> algo = 'sha1'
> salt = sha.new(str(random.random())).hexdigest()[:5]
> hsh = sha.new(salt+raw_password).hexdigest()
> print "%s$%s$%s" % (algo, salt, hsh)
I've put the above on the wiki
(http://code.djangoproject.com/wiki/AdminApplication) which is off the
common pitfalls page. Someone can move it to somewhere more
appropriate if need be. People could then point to this rather than
explain to newbies how helpful they are on #django.
F.
Jyrki Pulliainen
Dunno is this really a developer question, but is there really a point
using sha there? That one could be done without sha too using
random.getrandbits(bits), eg.:
('%x' % random.getrandbits(128))[:5]
Not as pretty as the sha-solution, but a bit more efficent and not
using the 'useless' sha there.
--
Jyrki // jyrki.pu...@gmail.com
Felix Ingram
I don't see a problem with your solution. I just copied the existing
code. I wouldn't worry about efficency (though I suspect you're not
really) given the number of times this function is likely to be used.
Sha'ing random won't make it any more random; I suppose it's just down
to personal preference.
F.
>
> --
> Jyrki // jyrki.pu...@gmail.com
>
> >
>
Jyrki Pulliainen
>
> On 7/12/06, Jyrki Pulliainen <jyrki.pu...@gmail.com> wrote:
> >
> > On 7/12/06, Felix Ingram <f.ingra...@gmail.com> wrote:
> > > > salt = sha.new(str(random.random())).hexdigest()[:5]
> >
> > Dunno is this really a developer question, but is there really a point
> > using sha there? That one could be done without sha too using
> > random.getrandbits(bits), eg.:
> >
> > ('%x' % random.getrandbits(128))[:5]
> >
> > Not as pretty as the sha-solution, but a bit more efficent and not
> > using the 'useless' sha there.
>
> I don't see a problem with your solution. I just copied the existing
> code. I wouldn't worry about efficency (though I suspect you're not
> really) given the number of times this function is likely to be used.
> Sha'ing random won't make it any more random; I suppose it's just down
> to personal preference.
Yeah, that's propably not so time critical. This was just general wondering :)
By the way, you could mention on the wiki page, that user shouldn't
use your script on any server which admin(s) he/she cannot trust.
Linux is as secure as any else if the admin worth trusting. :)
Also, the history file can be done unreadable by other users if it's
not already so (chmod 0700 ~/.bash_history)
--
Jyrki // jyrki.pu...@gmail.com
Scott McCracken
> I've put the above on the wiki
> (http://code.djangoproject.com/wiki/AdminApplication) which is off the
> common pitfalls page.
Felix - many thanks for the great explination. This is exactly what I
was looking for.