How to store passwords?

James Stroud jstroud at mbi.ucla.edu
Wed Jan 7 22:10:54 CET 2009


Oltmans wrote:
> I'm writing a program in which I will ask users to enter user name and
> password once only. It's a console based program that will run on
> Windows XP. Actually, I'm trying to provide the similar functionality
> as "Remember me" thing in browsers. For that, I will need to store
> user name and passwords on the disk. I don't have a background in
> Crypto so how do you suggest I do that? What algorithms shall I be
> using? Moreover, I cannot use a whole library to do that due to
> certain issues. However, I can use like 1--2 files that will be
> shipped along with the main script. Any ideas? Any help will be really
> appreciated. Thanks.

There is a pure python implementation of blowfish out there. Google will 
help you. I can't remember which, if any, types of block chaining it 
supports. In some cases, it is important to use a block chaining 
protocol, but for passwords with high entropy (ie good passwords), block 
chaining is not really necessary.

256 bit Blowfish or AES are adequate for storage of sensitive passwords. 
You would be well advised to read a manual like Schneier before you use 
cryptography for sensitive applications. Pitfalls exist even when you 
use a strong algorithm and think you know what you are doing. Stay away 
from stream ciphers. They are easy to screw up.

Don't attempt to use DES, etc., for this either, they are not secure 
enough. Don't pretend that you can invent your own cipher either just in 
case the thought might cross your mind. Google "adacrypt" for some 
hilarity in this area.

If you check out sf.passerby.net and download the source, you will see a 
pure python module in there called jenncrypt which can help with 
buffering and has minimal fileIO type emulation for block ciphers, which 
you will appreciate when you try to use your block cipher for plaintexts 
of irregular sizes.

James



More information about the Python-list mailing list