[Twisted-Python] Password hash for Perspective Brokers

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Thu Jul 26 12:43:28 EDT 2012

On 02:28 pm, spalax at gresille.org wrote:
>         Hello
>         I have a problem with checkers in Twisted, which could be 
>solved by
>adding a new feature. I think I can write the necessary code, but 
>doing so, I would like to hear you about it.
># The problem
>         If I am right, the only way passwords can be hashed when using
>authentication with perspective brokers is using MD5 [1]. However, 
>are two flaws with it.
>* First, MD5 is no longer considered sure. It may be possible, from the
>hashed password, to find the original one.
>* Second, in the current implementation of Twisted, no salt is used to
>hash the password. A salt is considered good practise : it is harder to
>find the password from the hashed form, and two identical passwords 
>different hashed form, which prevent someone looking at the hashed
>passwords to see if two users have the same password.

The second point is incorrect.  The hash is salted.  See the `respond` 
method in twisted/spread/pb.py.
># A solution
>         I tried to implement the solution proposed in [1], and I think 
>I can
>manage to do it. However, this seems to be a not-so-smart hack, which 
>not guaranteed to work in future releases of Twisted. That is why I am
>proposing a patch.
>         The patch would introduce some arguments to class 
>PBServerFactory [2]
>to use (or not) a salt, and a different hash function. I am not settled
>down yet about the new signature of this class, but what is sure is 
>the default must be the actual behaviour, not to break programs already
>using Twisted. Then, I hesitate between

A good approach would be to parameterize the supported authentication 
mechanisms in an extensible way, rather than just hard coding one or two 
new (probably better) options.

In other words, a SASL implementation for PB would be the best way to 

The existing API and behavior should indeed be preserved as-is for 
backwards compatibility.  The new authentication features should be 
exposed under a new API - either as new optional arguments accepted by 
PBServerFactory (and perhaps PBClientFactory) and new login methods 
(again, probably on those two classes).


More information about the Twisted-Python mailing list