Another security question

Frank Millman frank at chagford.com
Fri Dec 23 06:08:46 EST 2016


"Steve D'Aprano"  wrote in message 
news:585d009f$0$1599$c3e8da3$5496439d at news.astraweb.com...
>
> On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote:
>
> >
> > 3. Generate the password from the string supplied by the user as 
> > follows -
> >     from hashlib import blake2b
> >     password = blake2b('my_password'.encode('utf-8'), 
> > salt=salt).digest()
> >
> > The hashlib docs have the following warning -
> >
> > "Salted hashing (or just hashing) with BLAKE2 or any other 
> > general-purpose
> > cryptographic hash function, such as SHA-256, is not suitable for 
> > hashing
> > passwords. See BLAKE2 FAQ for more information."
>
> Why are using Blake2 when the docs explicitly say not to use them in this
> way? Have you read the FAQ to see what it says?
>

Why am I using Blake2? Well, before today I had not heard of it. However, in 
the past, when I needed to create a hashed password, I used the built-in 
hashlib module. Today, when I look at the docs for hashlib in Python 3.6, 
this is the new sub-heading -
    "15.2. hashlib — BLAKE2 hash functions"

So it appears that this is the new preferred way of doing it.

This is what the Blake2 FAQ says -

"You shouldn't use *any* general-purpose hash function for user passwords, 
not BLAKE2, and not MD5, SHA-1, SHA-256, or SHA-3. Instead you should use a 
password hashing function such as the PHC winner Argon2 with appropriate 
time and memory cost parameters, to mitigate the risk of bruteforce 
attacks—Argon2's core uses a variant of BLAKE2's permutation"

I see that there is a Python implementation of Argon2 in PyPi, but I don't 
particularly want to add another dependency to my app. My gut-feel says that 
this is overkill for my requirement. However, I am not sure. That is partly 
why I started this thread, to get some counter-arguments.

Frank




More information about the Python-list mailing list