Another security question

Fri Dec 23 11:58:59 EST 2016

On Fri, 23 Dec 2016 10:08 pm, Frank Millman wrote:

> "Steve D'Aprano"  wrote in message
> news:585d009f$0$1599$c3e8da3$5496439d at news.astraweb.com...
>>
>> On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote:
>>
>> >
>> > 3. Generate the password from the string supplied by the user as
>> > follows -
>> >     from hashlib import blake2b
>> >     password = blake2b('my_password'.encode('utf-8'),
>> > salt=salt).digest()
>> >
>> > The hashlib docs have the following warning -
>> >
>> > "Salted hashing (or just hashing) with BLAKE2 or any other
>> > general-purpose
>> > cryptographic hash function, such as SHA-256, is not suitable for
>> > hashing
>> > passwords. See BLAKE2 FAQ for more information."
>>
>> Why are using Blake2 when the docs explicitly say not to use them in this
>> way? Have you read the FAQ to see what it says?
>>
> 
> Why am I using Blake2? Well, before today I had not heard of it. However,
> in the past, when I needed to create a hashed password, I used the
> built-in hashlib module. Today, when I look at the docs for hashlib in
> Python 3.6, this is the new sub-heading -
>     "15.2. hashlib — BLAKE2 hash functions"
> 
> So it appears that this is the new preferred way of doing it.

What makes a good hash function for passwords is not the same as a good
general purpose hash function, cryptographic or not.

You can read more about this:

http://security.blogoverflow.com/2013/09/about-secure-password-hashing/
https://crackstation.net/hashing-security.htm
http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374

but the TL;DR is that any of the general-purpose hash functions -- md5,
sha-1, sha-2 (sha-256 or sha-512), sha-3 or BLAKE2 -- are poor choices
because they're *too fast*, or have other vulnerabilities, or both.

> This is what the Blake2 FAQ says -
> 
> "You shouldn't use *any* general-purpose hash function for user passwords,
> not BLAKE2, and not MD5, SHA-1, SHA-256, or SHA-3. Instead you should use
> a password hashing function such as the PHC winner Argon2 with appropriate
> time and memory cost parameters, to mitigate the risk of bruteforce
> attacks—Argon2's core uses a variant of BLAKE2's permutation"
> 
> I see that there is a Python implementation of Argon2 in PyPi, but I don't
> particularly want to add another dependency to my app. My gut-feel says
> that this is overkill for my requirement. However, I am not sure. That is
> partly why I started this thread, to get some counter-arguments.

I have no opinion about Argon2, but I too would be reluctant to use an
external dependency of unknown quality.

The tried and tested password hashing functions are PBKDF2, bcrypt and
scrypt, with bcrypt generally considered the "boring, reliable" solution.
But there's no Python standard library implementation, which is sad.

crypt is also said to be sufficiently strong, but only some versions, and I
believe it is Unix/Linux only.

https://docs.python.org/3.5/library/crypt.html#module-crypt

There is a stdlib PBKDF2. If you want to avoid third-party dependencies, use
that.

https://docs.python.org/3.4/library/hashlib.html#hashlib.pbkdf2_hmac

By the way, thanks for raising this interesting question! This is exactly
the sort of thing that the secrets module is supposed to make a "no
brainer", so I expect that it will get a password hash function.

-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.