Another security question
frank at chagford.com
Fri Dec 23 05:19:00 EST 2016
This is a follow-up to my recent 'security question' post.
I am starting a new thread, for 2 reasons -
1) I sent a link to the previous thread to my ISP for their information. It
is up to them whether they do anything with it, but I wanted to keep that
thread focused on the original issue raised.
2) This one is more on-topic, as it is to do with my python project.
Having read the previous thread and various links, I want to review the way
I handle passwords in my accounting application.
At present I just store a SHA-1 hash of the password for each user. Here are
my thoughts on improving this.
1. Generate a 'salt' for each password. There seem to be two ways in the
standard library to do this -
salt = os.urandom(16)
salt = secrets.token_bytes(16)
My guess is that it will not make much difference which I use.
2. Store the salt in the database along with the user-id and hashed password
for each user.
3. Generate the password from the string supplied by the user as follows -
from hashlib import blake2b
password = blake2b('my_password'.encode('utf-8'), salt=salt).digest()
The hashlib docs have the following warning -
"Salted hashing (or just hashing) with BLAKE2 or any other general-purpose
cryptographic hash function, such as SHA-256, is not suitable for hashing
passwords. See BLAKE2 FAQ for more information."
I propose to ignore this warning. I feel that, for my purposes, the above
procedure is adequate.
Does all this sound reasonable?
Any comments appreciated.
More information about the Python-list