Methods for password storage

[Bill Scherer]

Brad -

Don't store the password.  Use crypt (unix only) or maybe MD5, and store
the encrypted password.  This way no one can view the user's real pasword.
When authenticating the user, you must encrypt the password provided (in
the same manner, obviously), and compare it to the stored version.  If they
match, the user knows the password.  crypt and md5 are one way ciphers,
that is there is no way, other than brute force, to get the original text
out of the ciphertext.

The crypt algorithm is what many unix systems use to encrypt users
passwords.  The encrypted password can be viewed by most users in the file
/etc/password.  You may choose to make your store of encrypted passwords
unaccesible to the average user.  That would make brute force attackes more
difficult ;-).

If I've gotten any of this wrong, someone will point that out soon, but
this is basically the method I'm using.

-Bill  Scherer

Brad Chapman wrote:

> Hello!
>     I'm working on a program which stores passwords (for database
> access) that a user enters in a GUI. The program is targetted for unix
> machines. I'm not very experienced with security issues like this and am
> trying to store them in as secure a manner as possible.
>     Does anyone have any advice/examples for how to securely store
> sensitive information like this using python? Are there other security
> issues I should worry about when dealing with passwords? Thank in
> advance much for any advice!
>
> Brad
>
> --
> http://www.python.org/mailman/listinfo/python-list

--
William K. Scherer
Sr. Member of Applications Staff
Bell Atlantic Mobile
http://ampeg.corp.bam.com