How to store passwords?
jstroud at mbi.ucla.edu
Wed Jan 7 22:10:54 CET 2009
> I'm writing a program in which I will ask users to enter user name and
> password once only. It's a console based program that will run on
> Windows XP. Actually, I'm trying to provide the similar functionality
> as "Remember me" thing in browsers. For that, I will need to store
> user name and passwords on the disk. I don't have a background in
> Crypto so how do you suggest I do that? What algorithms shall I be
> using? Moreover, I cannot use a whole library to do that due to
> certain issues. However, I can use like 1--2 files that will be
> shipped along with the main script. Any ideas? Any help will be really
> appreciated. Thanks.
There is a pure python implementation of blowfish out there. Google will
help you. I can't remember which, if any, types of block chaining it
supports. In some cases, it is important to use a block chaining
protocol, but for passwords with high entropy (ie good passwords), block
chaining is not really necessary.
256 bit Blowfish or AES are adequate for storage of sensitive passwords.
You would be well advised to read a manual like Schneier before you use
cryptography for sensitive applications. Pitfalls exist even when you
use a strong algorithm and think you know what you are doing. Stay away
from stream ciphers. They are easy to screw up.
Don't attempt to use DES, etc., for this either, they are not secure
enough. Don't pretend that you can invent your own cipher either just in
case the thought might cross your mind. Google "adacrypt" for some
hilarity in this area.
If you check out sf.passerby.net and download the source, you will see a
pure python module in there called jenncrypt which can help with
buffering and has minimal fileIO type emulation for block ciphers, which
you will appreciate when you try to use your block cipher for plaintexts
of irregular sizes.
More information about the Python-list