stevepiercy
commented
11 years ago I agree with your point. Please submit a pull request with an implementation of your suggestion.
Closed stephenmac7 closed 8 years ago
stevepiercy
commented
11 years ago I agree with your point. Please submit a pull request with an implementation of your suggestion.
stephenmac7
commented
11 years ago I think I might be able to do this for that certain page, but not in the next section of the tutorial (sqlalchemy) as I've never used a relational database with an ORM.
mmerickel
commented
11 years ago The tutorial should probably just use https://pypi.python.org/pypi/cryptacular/1.4.1 or https://pypi.python.org/pypi/passlib/1.6.1 to handle the passwords if you want to do that part right. Algorithms like bcrypt automatically use a salt inherent in the algorithm.
stephenmac7
commented
11 years ago I was planning on using the bcrypt library with hmac.
stevepiercy
commented
8 years ago This tutorial has been superseded by the official Quick Tutorial for Pyramid which does not yet use encryption as a best practice.
But the updated tutorial Pyramid Blogr uses passlib and has a warning about best practices.
I've opened an issue: https://github.com/Pylons/pyramid/issues/2204
In the getting started tutorial, on the tenth page (Security), there is no password hashing. This is an absolute requirement for security and anyone who does not know this will not hash their passwords after reading the tutorial.