[Python-ideas] Add adaptive-load salt-mandatory hashing functions?
Christian Heimes
lists at cheimes.de
Mon Jun 11 10:42:59 CEST 2012
Am 11.06.2012 08:09, schrieb Nick Coghlan:
> Right. Given the time frames involved, it's probably best to target
> this at 3.4 as a simple way to do
> rainbow-table-and-brute-force-resistant password hashing and
> comparisons, defaulting to PBKDF2, but accepting alternative key
> derivation functions so people can plug in bcrypt, scrypt, etc
> (similar to the way hmac defaults to md5, but lets you specify any
> hash function with the appropriate API).
>
> I think Armin's already created a good foundation for that, but
> there'll be quite a bit of work in getting a PEP written, etc.
Python already has an excellent library for password hashing: passlib
[1]. It's well written and documented, contains more than 30 password
hashing algorithms and schemas used by major platforms and applications
like Unix, LDAP and databases. The library even contains a policy
framework for handling, recognizing and migrating passwords as well as
counteractive measures against side channel attacks.
IMHO it's not enough to just provide the basic algorithm for PBKDF2 and
friends. There is still too much space for error. Passlib hides the
complex parts and has a user friendly API, for example
http://packages.python.org/passlib/lib/passlib.context-tutorial.html#deprecation-hash-migration
.
Christian
[1] http://packages.python.org/passlib/
More information about the Python-ideas
mailing list