Another security question
frank at chagford.com
Fri Dec 23 06:08:46 EST 2016
"Steve D'Aprano" wrote in message
news:585d009f$0$1599$c3e8da3$5496439d at news.astraweb.com...
> On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote:
> > 3. Generate the password from the string supplied by the user as
> > follows -
> > from hashlib import blake2b
> > password = blake2b('my_password'.encode('utf-8'),
> > salt=salt).digest()
> > The hashlib docs have the following warning -
> > "Salted hashing (or just hashing) with BLAKE2 or any other
> > general-purpose
> > cryptographic hash function, such as SHA-256, is not suitable for
> > hashing
> > passwords. See BLAKE2 FAQ for more information."
> Why are using Blake2 when the docs explicitly say not to use them in this
> way? Have you read the FAQ to see what it says?
Why am I using Blake2? Well, before today I had not heard of it. However, in
the past, when I needed to create a hashed password, I used the built-in
hashlib module. Today, when I look at the docs for hashlib in Python 3.6,
this is the new sub-heading -
"15.2. hashlib — BLAKE2 hash functions"
So it appears that this is the new preferred way of doing it.
This is what the Blake2 FAQ says -
"You shouldn't use *any* general-purpose hash function for user passwords,
not BLAKE2, and not MD5, SHA-1, SHA-256, or SHA-3. Instead you should use a
password hashing function such as the PHC winner Argon2 with appropriate
time and memory cost parameters, to mitigate the risk of bruteforce
attacks—Argon2's core uses a variant of BLAKE2's permutation"
I see that there is a Python implementation of Argon2 in PyPi, but I don't
particularly want to add another dependency to my app. My gut-feel says that
this is overkill for my requirement. However, I am not sure. That is partly
why I started this thread, to get some counter-arguments.
More information about the Python-list