How to store passwords?

James Stroud jstroud at mbi.ucla.edu
Wed Jan 7 16:12:43 EST 2009 

James Stroud wrote:
> Oltmans wrote:
>> I'm writing a program in which I will ask users to enter user name and
>> password once only. It's a console based program that will run on
>> Windows XP. Actually, I'm trying to provide the similar functionality
>> as "Remember me" thing in browsers. For that, I will need to store
>> user name and passwords on the disk. I don't have a background in
>> Crypto so how do you suggest I do that? What algorithms shall I be
>> using? Moreover, I cannot use a whole library to do that due to
>> certain issues. However, I can use like 1--2 files that will be
>> shipped along with the main script. Any ideas? Any help will be really
>> appreciated. Thanks.
> 
> There is a pure python implementation of blowfish out there. Google will 
> help you. I can't remember which, if any, types of block chaining it 
> supports. In some cases, it is important to use a block chaining 
> protocol, but for passwords with high entropy (ie good passwords), block 
> chaining is not really necessary.
> 
> 256 bit Blowfish or AES are adequate for storage of sensitive passwords. 
> You would be well advised to read a manual like Schneier before you use 
> cryptography for sensitive applications. Pitfalls exist even when you 
> use a strong algorithm and think you know what you are doing. Stay away 
> from stream ciphers. They are easy to screw up.
> 
> Don't attempt to use DES, etc., for this either, they are not secure 
> enough. Don't pretend that you can invent your own cipher either just in 
> case the thought might cross your mind. Google "adacrypt" for some 
> hilarity in this area.
> 
> If you check out sf.passerby.net and download the source, you will see a 
> pure python module in there called jenncrypt which can help with 
> buffering and has minimal fileIO type emulation for block ciphers, which 
> you will appreciate when you try to use your block cipher for plaintexts 
> of irregular sizes.
> 
> James

Before anyone jumps me, I just realized the point is authentication. Use 
a hash as others have suggested.

James

More information about the Python-list mailing list