[Python-ideas] Add adaptive-load salt-mandatory hashing functions?

Nick Coghlan ncoghlan at gmail.com
Mon Jun 11 08:09:11 CEST 2012

On Mon, Jun 11, 2012 at 4:35 AM, Masklinn <masklinn at masklinn.net> wrote:
> On 2012-06-10, at 20:24 , Simon Sapin wrote:
>> Le 10/06/2012 20:11, Masklinn a écrit :
>>> [...] when there's no code yet
>>> I'll try to get something done first
>> There is code, with tests. Here is the link I posted earlier in this thread:
>> https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py
> Yes, I've seen it, but
> 1. I'll need to talk to Armin about using that code (which is why I CC'd
>   him to the list when I responded to Nick's response to your comment),
>   or have him do it, I don't think anybody is going to take his code
>   without even asking for consent and try to push it into the stdlib
> 2. The interface is simple, but painful. Just look at the comment at the top:
>        3.  Store ``algorithm$salt:costfactor$hash`` in the database so that
>        you can upgrade later easily to a different algorithm if you need
>        one.  For instance ``PBKDF2-256$thesalt:10000$deadbeef...``.
>   if we know what's supposed to be done, how about just doing it and
>   returning *that*? If it goes into the stdlib, I'd like to have
>   something non-cryptographers can use easily, correctly and without
>   making mistakes. Then there's the issue of implementing the equality
>   test, extracting stuff from that storage string on subsequent auths to
>   test for matches. It should be possible to do all that in a single
>   user-facing operations, no munging about in user's code.
> 3. The test suite needs to be converted to the stdlib's format
> 4. The documentation needs to be written

Right. Given the time frames involved, it's probably best to target
this at 3.4 as a simple way to do
rainbow-table-and-brute-force-resistant password hashing and
comparisons, defaulting to PBKDF2, but accepting alternative key
derivation functions so people can plug in bcrypt, scrypt, etc
(similar to the way hmac defaults to md5, but lets you specify any
hash function with the appropriate API).

I think Armin's already created a good foundation for that, but
there'll be quite a bit of work in getting a PEP written, etc.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-ideas mailing list