General Password questions
Peter Hansen
peter at engcorp.com
Tue Sep 23 09:28:49 EDT 2003
Riccardo Attilio Galli wrote:
>
> On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote:
>
> > Todd Johnson wrote:
> >>
> >> On a similar note, I want to save the password to a
> >> file. How do I encrypt the password?
> >
> > You don't encrypt passwords, you hash them. That means use a
> > cryptographically strong hashing algorithm such as SHA or MD5
> > and store the resulting value. Later, when a user has entered
> > a password which you want to check against the correct one, you
> > run the same hash algorithm on the password-under-test and compare
> > the result with the stored result.
> > [...]
>
> what about if I would reload an entered password?
> I wrote an e-mail client, and I haven't found a way to store the password
> that an user enter the first time and use it when the program is restarted.
> I don't want to ask to the user every time the account password, but also
> I don't want to store it as plain text.
> Do you know what is the usual practice in these cases?
As near as I can understand your questions, the approach I provided
solves all these issues. You need to do a little research into this
stuff on the web, or do some experimentation, before you'll understand
it well enough to use it, perhaps.
In a nutshell, this is the point: you never use the plaintext form of
the password. As soon as it is entered, you convert it to a hash. You
store the hash, and if a user later enters a password and you need to
check it, you convert *it* to a hash and compare the hashes. Never,
ever, store or compare plain text passwords. Does that help?
-Peter
More information about the Python-list
mailing list