General Password questions
Aahz
aahz at pythoncraft.com
Tue Sep 23 12:34:56 EDT 2003
In article <pan.2003.09.23.16.02.35.675695 at riquito.matrix>,
Riccardo Attilio Galli <riquito at riquito.matrix> wrote:
>
>I think you have misunderstood me(mmm, I hope it sound polite enough in
>english). An user should never enter the password again. I know how hashes
>work, and they're useful when I can compare an entered password with an
>hash value, but here I need that the user don't enter a password anymore
>(after the first time).
>
>The natural use of the program would be:
>run the e-mail client for the first time
>user enter his e-mail password
>the client check for new mails
>user close the client.
>
>while 1:
> user run the e-mail client
> the client check for new mails WITHOUT ask for a password
> user close the client
This is extremely difficult to do in a secure way. What you need to do
is encrypt the e-mail password before storage; each time the user starts
the e-mail application, zie needs to enter the local password. There are
other less secure options, all of which (with some partial exceptions)
equate to "no security" from the perspective of a security professional.
(E.g. relying on the OS to keep the data secure.)
Python does not make encryption available in its "batteries included"
philosophy because of the legal problems. M2Crypto is probably the
module most often used; see also
http://www.amk.ca/python/code/crypto.html
--
Aahz (aahz at pythoncraft.com) <*> http://www.pythoncraft.com/
"It is easier to optimize correct code than to correct optimized code."
--Bill Harlan
More information about the Python-list
mailing list