[Cryptography-dev] High-level password hashing module for cryptography?
Frank Siebenlist
frank.siebenlist at gmail.com
Tue Jun 14 13:25:28 EDT 2016
Hi pyca/cryptography community,
In my company, we're currently confronted with all the bcrypt vs pbkd2
vs scrypt vs argon discussions and choices. For each there are further
choices to be made about salts-sizes, hash-counts, hash-algos...
Currently pyca/cryptography only has a PBKDF2HMAC module in the hazmat
section, that can be used for password hashing but is presented as a
key-derivation algo... which it technically is.
I'm looking for a higher, non-hazmat, level password-hashing specific module...
Any good libraries available?
Ideally based on pyca/cryptography - although the implementation
choices seem limited (just PBKDF2 unless I missed some...).
I've got some prototype code to see how much we could possibly
abstract the interface to deal with passwords.
Please look at the example python notebook in this gist:
https://gist.github.com/franks42/6edb914203ab7f5a0b151fe0a21e6150
Hopefully that shows some of the interface requirements:
* hide low level key-derivation "stuff" from developers
* work with opaque html/url-friendly tokens to store in the user-passwd-db
* find easy way to manage policy changes and upgrade affected
passwordhash-tokens
* make "easy" migration to the ultimate future algo feasilble (argon2?)
Ideas/suggestions/feedback much appreciated!
Thanks, Frank.
More information about the Cryptography-dev
mailing list