Encryption Recommendation

Michael Ströder michael at stroeder.com
Tue Jan 29 10:10:01 CET 2008


Diez B. Roggisch wrote:
> rogerrath2 at gmail.com wrote:
> 
>> I'm still using Python 2.4.  In my code, I want to encrypt a password
>> and at another point decrypt it.  What is the standard way of doing
>> encryption in python?  Is it the Pycrypto module?
> 
> Usually, one doesn't store clear-text passwords. Instead, use a
> hash-algorithm like md5 or crypt (the former is in the standard lib, don't
> know of the other out of my head) and hash the password, and store that
> hash.
> 
> If a user enters the password, use the same algorithm, and compare the
> resulting hashes with the stored one.

And don't forget to add a salt so that same passwords do not have the 
same hash.

But if the password checking is done with a challenge-response mechanism 
(e.g. HTTP-Digest Auth or SASL with DIGEST-MD5) it's required that the 
instance checking the password has the clear-text password available. So 
reversible encryption for storing passwords might be required.

Ciao, Michael.



More information about the Python-list mailing list