How to store passwords?
James Stroud
jstroud at mbi.ucla.edu
Wed Jan 7 16:12:43 EST 2009
James Stroud wrote:
> Oltmans wrote:
>> I'm writing a program in which I will ask users to enter user name and
>> password once only. It's a console based program that will run on
>> Windows XP. Actually, I'm trying to provide the similar functionality
>> as "Remember me" thing in browsers. For that, I will need to store
>> user name and passwords on the disk. I don't have a background in
>> Crypto so how do you suggest I do that? What algorithms shall I be
>> using? Moreover, I cannot use a whole library to do that due to
>> certain issues. However, I can use like 1--2 files that will be
>> shipped along with the main script. Any ideas? Any help will be really
>> appreciated. Thanks.
>
> There is a pure python implementation of blowfish out there. Google will
> help you. I can't remember which, if any, types of block chaining it
> supports. In some cases, it is important to use a block chaining
> protocol, but for passwords with high entropy (ie good passwords), block
> chaining is not really necessary.
>
> 256 bit Blowfish or AES are adequate for storage of sensitive passwords.
> You would be well advised to read a manual like Schneier before you use
> cryptography for sensitive applications. Pitfalls exist even when you
> use a strong algorithm and think you know what you are doing. Stay away
> from stream ciphers. They are easy to screw up.
>
> Don't attempt to use DES, etc., for this either, they are not secure
> enough. Don't pretend that you can invent your own cipher either just in
> case the thought might cross your mind. Google "adacrypt" for some
> hilarity in this area.
>
> If you check out sf.passerby.net and download the source, you will see a
> pure python module in there called jenncrypt which can help with
> buffering and has minimal fileIO type emulation for block ciphers, which
> you will appreciate when you try to use your block cipher for plaintexts
> of irregular sizes.
>
> James
Before anyone jumps me, I just realized the point is authentication. Use
a hash as others have suggested.
James
More information about the Python-list
mailing list