password security

Tim Peters tim_one at email.msn.com
Fri May 19 10:10:33 CEST 2000


[Anders M Eriksson]
> I need a form of login into one of my applications and I would like to
> ask about the security of this method. See below for the actual
> function
>
> I'm using the md5 module to create a 'digest' of the username + a
> random string + the password. then I compare this to the digest that I
> have saved.
>
> Is this secure on any level?

MD5 is still widely thought to be secure, although Nagging Doubts Have Been
Raised.  The biggest risk with any password scheme is that people tend to
pick easily-guessed passwords, and IMO that swamps the risk due to MD5.  sha
creates a longer digest, which may or may not be more secure (Nagging Doubts
Have Been Raised about NIST changing a tiny part of the sha algorithm
without explaining why -- Nagging Doubts are very popular in this field
<wink>).

> will the random string add to the security?
> if so, will a larger string make the security higher?

No and no.  MD5 doesn't care about the length, and anyone can suck the fixed
"random string" out of your Python bytecode file even if it did.  Assuming
anyone can get at the shelve and the list of user names, the most obvious
vulnerability is that they can simply *try* all possible username + password
combos, looking for a hit on the digest string.  But, as far as anyone
knows, that's also the most efficient attack they can dream up (i.e., brute
force is the best method known).

barring-things-like-just-looking-over-their-shoulder-or-tapping-the-
    keyboard-or-a-gazillion-other-dead-easy-approaches-ly y'rs  - tim






More information about the Python-list mailing list