Using Rotor with password file

Paul Rubin phr-n2003b at NOSPAMnightsong.com
Sat Feb 1 20:19:07 CET 2003


"James Kew" <james.kew at btinternet.com> writes:
> > Don't use the rotor module, it is insecure.
> 
> This is the second time I've seen this comment recently.
> 
> If it's insecure, why is it in the standard library? Should it be removed
> (as rexec and bastion will be)? Or at least deprecated (and subject to a
> DeprecationWarning)?

I hadn't heard rexec and bastion will be removed.  In my opinion,
rotor should be deprecated, but I don't get to decide things like
that.

Here's a module you can use instead of rotor, based on the built-in
SHA module:

   http://www.nightsong.com/phr/crypto/p2.py

Its security should be ok.  You'll have to edit out the date check.
I'll get around to putting up a renamed version with the date check
removed, but this whole approach is kind of a stopgap--I hope that
Python's standard library will get some real cryptography soon.
Apparently one obstacle in the past has been US export restrictions on
crypto code, but those restrictions have eased up in recent years.




More information about the Python-list mailing list