Encryption Recommendation
Michael Ströder
michael at stroeder.com
Tue Jan 29 04:10:01 EST 2008
Diez B. Roggisch wrote:
> rogerrath2 at gmail.com wrote:
>
>> I'm still using Python 2.4. In my code, I want to encrypt a password
>> and at another point decrypt it. What is the standard way of doing
>> encryption in python? Is it the Pycrypto module?
>
> Usually, one doesn't store clear-text passwords. Instead, use a
> hash-algorithm like md5 or crypt (the former is in the standard lib, don't
> know of the other out of my head) and hash the password, and store that
> hash.
>
> If a user enters the password, use the same algorithm, and compare the
> resulting hashes with the stored one.
And don't forget to add a salt so that same passwords do not have the
same hash.
But if the password checking is done with a challenge-response mechanism
(e.g. HTTP-Digest Auth or SASL with DIGEST-MD5) it's required that the
instance checking the password has the clear-text password available. So
reversible encryption for storing passwords might be required.
Ciao, Michael.
More information about the Python-list
mailing list