storing passwords

[Neil Schemenauer]

On Mon, Jan 15, 2001 at 10:08:52PM +0200, Moshe Zadka wrote:
> On Mon, 15 Jan 2001 Andrew MacIntyre <andymac at bullseye.apana.org.au> wrote:
> 
> > I wrote a simple module that stores the account,password pair as an XOR
> > "masked" string in a dbm file with the hostname as the key.  The module is
> > only published (put in the PYTHONPATH) as a .pyc/.pyo, so the full source
> > is not generally readable.
> > 
> > This is only obscurity however, not real security.
> 
> And not even good obscurity! .pyc files are actually quite readable
> if you use the dis module, and I think Mr. Aycock wrote a decompyler.
> Don't use security through obscurity, please!

There's no excuse either:

    import sha
    def hash_password(password):
        """Apply a one way hash function to the users password and
        return the result"""
        return sha.new(password).hexdigest()

    def valid_password(self, password, hash):
        "Return true if the provided password is correct"
        return (hash == hash_password(password))

Its easy to add some "salt" to the hash too if your worried about
dictionary based attacks.

  Neil