General Password questions

Peter Hansen peter at engcorp.com
Tue Sep 23 01:32:50 CEST 2003


Todd Johnson wrote:
> 
> I am creating a dialog in wxPython for log in
> purposes. Basically when the user clicks the ok
> button, the dialog box saves the user name and
> password as class attributes. Then as long as the
> dialog exists calling MyDialog.GetUserName() and
> MyDialog.GetPassword() returns them. This seems
> insecure to me. 

Why do you feel it's insecure?

> On a similar note, I want to save the password to a
> file. How do I encrypt the password?

You don't encrypt passwords, you hash them.  That means use a
cryptographically strong hashing algorithm such as SHA or MD5
and store the resulting value.  Later, when a user has entered 
a password which you want to check against the correct one, you 
run the same hash algorithm on the password-under-test and compare 
the result with the stored result.  The hash algorithm is designed
so that it's computationally infeasible to reverse-engineer a
password that corresponds to a given hash value, making it about
as good as storing the real thing without the insecurity in
that approach.  Luckily, these algorithms are already implemented
for you so you don't need to deal with the complexities.

Note, however, the likelihood that somebody interested in 
cracking this whole system could easily do things like change
the Python source, or modify the password file that contains the
hash value, substituting their own pre-calculated hash which
matches the password they wish to enter.

Assuming you are just trying to prevent casual intrusion and
there's really nothing valuable involved, a simple hash using
the sha or md5 module would probably do fine.  Of course, at this
point I fully expect a dozen people with more background in 
security to start stomping all over this advice and tell you 
how wrong it is, but I live to provide people with that kind of
opportunity. ;-)

I encourage you to learn more about this, too, by searching the
web or something.  Time spent studying security issues will always 
repay itself, no matter your current level of expertise...

-Peter




More information about the Python-list mailing list