[Python-ideas] Add adaptive-load salt-mandatory hashing functions?

Nick Coghlan ncoghlan at gmail.com
Mon Jun 11 23:00:27 CEST 2012

On Tue, Jun 12, 2012 at 6:39 AM, Christian Heimes <lists at cheimes.de> wrote:
> Am 11.06.2012 22:21, schrieb Guido van Rossum:
>> Do you really think that including some API in the stdlib is going to
>> make a difference in education? And what would we do if in 2 years
>> time the stdlib's "basic functionality" were somehow compromised (not
>> due to a bug in Python's implementation but simply through some
>> advance in the crypto world) -- how would we get everyone who relied
>> on the stdlib to switch to a different algorithm? I really think that
>> the right approach here is to get *everyone* who needs this to use a
>> 3rd party library. Diversity is very good here!
> +1
> I'm against adding just the password hashing algorithms. Developers can
> easily screw up right algorithm with a erroneous approach. It's the
> beauty of passlib: The framework hides all the complex and
> easy-to-get-wrong stuff behind a minimal API.

Right, when I suggested looking for an "API compatible stable core"
that could be added for 3.4, I was specifically thinking of:

1. The core CryptContext API
2. The PBKDF2 and sha512_crypt derivation functions

Based on a brief look a the module documentation, those parts seem
like they're sufficiently mature to be suitable for the stdlib,
whereas the rest of passlib is more suited to development as a 3rd
party library with its own release schedule.

However, I could be completely wrong, thus the suggestion that it be
looked into, rather than "we should definitely do this". At the very
least, we should be directing people towards passlib for password
storage and comparison purposes.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-ideas mailing list