What steps will reproduce the problem?
call webapp2_extras.security.generate_password_hash() without specifying a
method:
http://webapp-improved.appspot.com/_modules/webapp2_extras/security.html#generat
e_password_hash
What is the expected output? What do you see instead?
I expect to store passwords using a secure hash function. Instead I see a
system defaulting to SHA1. SHA1 is a broken hash function that is now two
generations old, we have SHA3!
webapp2, and anyone using this password storage method is vulnerable to
CWE-916: Use of Password Hash With Insufficient Computational Effort:
http://cwe.mitre.org/data/definitions/916.html
What version of the product are you using? On what operating system?
Google appenigne v1.8.0
Please provide any additional information below.
You should be using bcrypt, scrypt, or bpkdf2. Bcrypt is probably the best
choice:
http://security.stackexchange.com/questions/4781/do-any-security-experts-recomme
nd-bcrypt-for-password-storage/6415
Original issue reported on code.google.com by firealwa...@gmail.com on 29 May 2013 at 9:59
Original issue reported on code.google.com by
firealwa...@gmail.comon 29 May 2013 at 9:59