[Python-ideas] Add adaptive-load salt-mandatory hashing functions?
Nick Coghlan
ncoghlan at gmail.com
Mon Jun 11 12:03:35 CEST 2012
On Mon, Jun 11, 2012 at 6:42 PM, Christian Heimes <lists at cheimes.de> wrote:
> Am 11.06.2012 08:09, schrieb Nick Coghlan:
>> Right. Given the time frames involved, it's probably best to target
>> this at 3.4 as a simple way to do
>> rainbow-table-and-brute-force-resistant password hashing and
>> comparisons, defaulting to PBKDF2, but accepting alternative key
>> derivation functions so people can plug in bcrypt, scrypt, etc
>> (similar to the way hmac defaults to md5, but lets you specify any
>> hash function with the appropriate API).
>>
>> I think Armin's already created a good foundation for that, but
>> there'll be quite a bit of work in getting a PEP written, etc.
>
> Python already has an excellent library for password hashing: passlib
> [1]. It's well written and documented, contains more than 30 password
> hashing algorithms and schemas used by major platforms and applications
> like Unix, LDAP and databases. The library even contains a policy
> framework for handling, recognizing and migrating passwords as well as
> counteractive measures against side channel attacks.
>
> IMHO it's not enough to just provide the basic algorithm for PBKDF2 and
> friends. There is still too much space for error. Passlib hides the
> complex parts and has a user friendly API, for example
> http://packages.python.org/passlib/lib/passlib.context-tutorial.html#deprecation-hash-migration
Thanks for the link Christian, it does appear this particular wheel
has already been thoroughly invented. I'll be recommending passlib for
use by others in the future and look into adopting it for my own
projects.
However, password hashing is an important and common enough problem
that it would be good to have some basic level of support in the
standard library, with a clear migration path to a more feature
complete approach like passlib.
It would be good if someone was willing to do the work of raising this
discussion with the passlib authors, and looking to see if a suitably
stable core could be extracted that is API compatible with passlib,
and could be proposed as a standard library addition for 3.4.
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list