Another security question

Frank Millman frank at chagford.com
Fri Dec 23 05:19:00 EST 2016


Hi all

This is a follow-up to my recent 'security question' post.

I am starting a new thread, for 2 reasons -

1) I sent a link to the previous thread to my ISP for their information. It 
is up to them whether they do anything with it, but I wanted to keep that 
thread focused on the original issue raised.

2) This one is more on-topic, as it is to do with my python project.

Having read the previous thread and various links, I want to review the way 
I handle passwords in my accounting application.

At present I just store a SHA-1 hash of the password for each user. Here are 
my thoughts on improving this.

1. Generate a 'salt' for each password. There seem to be two ways in the 
standard library to do this -
    import os
    salt = os.urandom(16)

    import secrets
    salt = secrets.token_bytes(16)

    My guess is that it will not make much difference which I use.

2. Store the salt in the database along with the user-id and hashed password 
for each user.

3. Generate the password from the string supplied by the user as follows -
    from hashlib import blake2b
    password = blake2b('my_password'.encode('utf-8'), salt=salt).digest()

The hashlib docs have the following warning -

"Salted hashing (or just hashing) with BLAKE2 or any other general-purpose 
cryptographic hash function, such as SHA-256, is not suitable for hashing 
passwords. See BLAKE2 FAQ for more information."

I propose to ignore this warning. I feel that, for my purposes, the above 
procedure is adequate.

Does all this sound reasonable?

Any comments appreciated.

Frank Millman




More information about the Python-list mailing list