On 21/05/2019 18.08, Giampaolo Rodola' wrote: > > > On Tue, 21 May 2019 at 21:13, Christian Heimes <christ...@python.org > <mailto:christ...@python.org>> wrote: > > crypt > ~~~~~ > > The `crypt <https://docs.python.org/3/library/crypt.html>`_ module > implements > password hashing based on ``crypt(3)`` function from ``libcrypt`` or > ``libxcrypt`` on Unix-like platform. The algorithms are mostly old, of > poor > quality and insecure. Users are discouraged to use them. > > * The module is not available on Windows. Cross-platform application need > an alternative implementation any way. > * Only DES encryption is guarenteed to be available. DES has an extremely > limited key space of 2**56. > * MD5, salted SHA256, salted SHA512, and Blowfish are optional extension. > SSHA256 and SSHA512 are glibc extensions. Blowfish (bcrypt) is the only > algorithm that is still secure. However it's in glibc and therefore not > commonly available on Linux. > * Depending on the platform, the ``crypt`` module is not thread safe. Only > implementations with ``crypt_r(3)`` are thread safe. > * The module was never useful to interact with system user and password > databases. > > > This is actually not true. Their main use case is to compare passwords > against the shadowed password db: > https://github.com/giampaolo/pyftpdlib/blob/ee7b36c701b78b2d36e938c42d08dbfbad55a34f/pyftpdlib/authorizers.py#L413 > A quick search on searchcode.com <http://searchcode.com> shows both spwd and > crypt modules are used. I am no security expert (and I wasn’t aware they are > insecure until now, since the doc doesn’t mention it) but I would prefer > seeing these 2 fixed or improved rather than bluntly removed.
PS: "pw1 != pw2" on line 418 is also vulnerable to side channel attack. You must use a constant timing comparison operator like hmac.compare_digest() to compare password digests. https://github.com/giampaolo/pyftpdlib/blob/ee7b36c701b78b2d36e938c42d08dbfbad55a34f/pyftpdlib/authorizers.py#L418 _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
