more secure crypt() function
Paul Rubin
http
Sat Oct 4 14:09:57 EDT 2003
Marco Herrn <herrn at gmx.net> writes:
> I found the md5 and sha modules. But they work different from the crypt
> module. But it doesn't seem to be compatible. I need the way crypt works
> with a salt to verify the password.
>
> So my real question is: What function can be used instead of crypt() to
> generate secure crypted passwords that are compatible to the way
> crypt() works?
>
> I hope my intention is clear....
No your question isn't clear. If you want your hash function to be
compatible with crypt, you have to use crypt, there's no getting
around it.
If you just mean you want to use salted passwords the way unix
password files do, use can use md5 or sha. Just do something like:
def md5x(str) md5.new(str).hexdigest()[:16]
def hash(password):
salt = <say 4 some random characters>
return = salt + md5x(salt + password)
def verify(password, hashed):
salt, digest = hashed[:4], hashed[4:]
return digest == md5(salt + password)
Note that salting doesn't really protect you from dictionary search
any more. The right way to do password hashing these days is with the
HMAC function (see docs for the hmac module), with a secret key as
well as with a salt. But keeping the key secret creates a nontrivial
administrative problem. I can suggest some ways to deal with it if
you want, that depending on your application, may or may not be more
trouble than they're worth.
More information about the Python-list
mailing list