[Python-Dev] PEP 594: update 1
Giampaolo Rodola'
g.rodola at gmail.com
Tue May 21 12:08:14 EDT 2019
On Tue, 21 May 2019 at 21:13, Christian Heimes <christian at python.org> wrote:
> crypt
> ~~~~~
>
> The `crypt <https://docs.python.org/3/library/crypt.html>`_ module
> implements
> password hashing based on ``crypt(3)`` function from ``libcrypt`` or
> ``libxcrypt`` on Unix-like platform. The algorithms are mostly old, of poor
> quality and insecure. Users are discouraged to use them.
>
> * The module is not available on Windows. Cross-platform application need
> an alternative implementation any way.
> * Only DES encryption is guarenteed to be available. DES has an extremely
> limited key space of 2**56.
> * MD5, salted SHA256, salted SHA512, and Blowfish are optional extension.
> SSHA256 and SSHA512 are glibc extensions. Blowfish (bcrypt) is the only
> algorithm that is still secure. However it's in glibc and therefore not
> commonly available on Linux.
> * Depending on the platform, the ``crypt`` module is not thread safe. Only
> implementations with ``crypt_r(3)`` are thread safe.
> * The module was never useful to interact with system user and password
> databases.
This is actually not true. Their main use case is to compare passwords
against the shadowed password db:
https://github.com/giampaolo/pyftpdlib/blob/ee7b36c701b78b2d36e938c42d08dbfbad55a34f/pyftpdlib/authorizers.py#L413
A quick search on searchcode.com shows both spwd and crypt modules are
used. I am no security expert (and I wasn’t aware they are insecure until
now, since the doc doesn’t mention it) but I would prefer seeing these 2
fixed or improved rather than bluntly removed.
> --
Giampaolo - http://grodola.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190521/b415c567/attachment.html>
More information about the Python-Dev
mailing list