storing passwords
Neil Schemenauer
nas at arctrix.com
Mon Jan 15 03:36:07 EST 2001
On Mon, Jan 15, 2001 at 10:08:52PM +0200, Moshe Zadka wrote:
> On Mon, 15 Jan 2001 Andrew MacIntyre <andymac at bullseye.apana.org.au> wrote:
>
> > I wrote a simple module that stores the account,password pair as an XOR
> > "masked" string in a dbm file with the hostname as the key. The module is
> > only published (put in the PYTHONPATH) as a .pyc/.pyo, so the full source
> > is not generally readable.
> >
> > This is only obscurity however, not real security.
>
> And not even good obscurity! .pyc files are actually quite readable
> if you use the dis module, and I think Mr. Aycock wrote a decompyler.
> Don't use security through obscurity, please!
There's no excuse either:
import sha
def hash_password(password):
"""Apply a one way hash function to the users password and
return the result"""
return sha.new(password).hexdigest()
def valid_password(self, password, hash):
"Return true if the provided password is correct"
return (hash == hash_password(password))
Its easy to add some "salt" to the hash too if your worried about
dictionary based attacks.
Neil
More information about the Python-list
mailing list