notebook -- evidently only the first 6 characters are significant???

[was]

Hi,

There is a password issue with sage notebook account. Please read below:

Sameer

On Fri, Dec 11, 2009 at 1:22 PM, Sameer Regmi <> wrote:
> On Fri, Dec 11, 2009 at 1:16 PM, Ondrej Certik <> wrote:
>> On Fri, Dec 11, 2009 at 1:12 PM, Sameer <> wrote:
>>> Hi I have found a weird issue with FEMhub online lab account. Let's
>>> say my password is "nevada". Then whenever I enter any text (in
>>> password field) with nevada as the prefix it will login. That means if
>>> I enter nevada123 (or whatever as the suffix) it will
>>> login.
>>
>> Seems like a bug in the Sage notebook. Could you please try to verify
>> this against sagenb.org and if the problem is in there as well,
>> could you please report it to the sage notebook list?
>
> Exactly! Its the bug in Sage notebook. The issue is there in sagenb.org too.
> I even can login with "nevad" if the password is of nevada. I am
> reporting to sage notebook list
>
> Sameer

[mpatel]

Could the problem be sagenb.notebook.user.User's use of ​crypt:

>>> import crypt
>>> crypt.crypt('abcdefgh', 'aa')
'aaHHlPHAM4sjs'
>>> crypt.crypt('abcdefghi', 'aa')
'aaHHlPHAM4sjs'

?

[mpatel]

But ​crypt supports whatever the OS's underlying ​crypt(3) supports. We could instead do, e.g.,

import crypt as c, random as r
salt = repr(r.random())[2:]
'77551456940940877'
c.crypt('abcdefgh', '$6$' + salt + '$')
'$6$7755145694094087$uW0RGjvJG3I.BDFKIAieUTPZkD4IGI6b8RtLt1fZ9czR0TefjriLwRGPItgPyZogDFsy.YorN24v2GM4YrBwK0'
c.crypt('abcdefghi', '$6$' + salt + '$')
'$6$7755145694094087$txEQuYAJlZ.042gqmPTeLSczXBv1sI6kSjzpbmU7o89rh.Tk7qUGHhLHtL1GIrVXmUdFrQBuIefktTTptuEq31'

If Linux and Mac OS X, at least, both support SHA-512, I suggest we use it by default. Should we generate each user's pseudo-random "salt" --- ​used to avoid clustering --- differently than above?

[kcrisman]

I cannot replicate this, and it is so old I am going to ask to close this.