On 01.03.2014 19:11, Chris Angelico wrote:
> On Sun, Mar 2, 2014 at 4:49 AM, Renato <rvernu...@gmail.com> wrote:
>> Hello everybody, I implemented a password validation with a Python 2.7.5
>> script in OpenSUSE 13.1. The user calls it passing 'login' and 'password' as
>> arguments. I made a dictionary in the format hashtable =
>> {'login':'password'} and I use this hash table to compare the 'login' and
>> 'password' that were passed in order to validate them. The problem is that
>> any user who can execute the script will be able to read it too (since it
>> must be read by python's interpreter), and this is causing some security
>> issues since any user can access all other users' passwords if he opens this
>> script and reads the code.
>>
>> My question is: is there a way of preventing the user from reading the
>> script's content? Is there any strategy I could use to hide the passwords
>> from the users?
>>
>
> Yeah, that's a pretty major issue, right there :)
>
> The most common way to deal with this is to salt and hash your
> passwords. While that might sound like a great thing to do to
> potatoes, it's also the best way to stop your passwords from being
> sniffed.
>
> Best practice is to combine the password with the user name and with
> some fixed text (the "salt"), and then run it through a
> cryptographically secure hashing algorithm. In Python 2.7, you have
> the hashlib module:
>
>>>> import hashlib
>>>> login = 'rosuav'
>>>> password = 'xkcd936passwordgoeshere'
>>>> encrypted = hashlib.sha256(login+'NaCl protects your
>>>> passwords'+password).hexdigest()
>>>> encrypted
> 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c'
Please don't do that. It's insecure and not the proper way to handle
passwords. In fact it's insecure on so many levels that I don't know
where to start...
A hash function and a fixed salt are always the wrong way to handle
passwords. You must use a non-deterministic key stretching and key
derivation function with a salt from a CPRNG. For example PBKDF2
(usually used with HMAC as PRF), bcrypt or scrypt are well studied and
tune-able KDFs. You must also use a constant timing comparison function.
You don't have to do all the hard stuff on your own. I highly recommend
`passlib` to handle your passwords. It has a good API and is secure.
Christian
--
https://mail.python.org/mailman/listinfo/python-list
