On 01.03.2014 19:11, Chris Angelico wrote: > On Sun, Mar 2, 2014 at 4:49 AM, Renato <rvernu...@gmail.com> wrote: >> Hello everybody, I implemented a password validation with a Python 2.7.5 >> script in OpenSUSE 13.1. The user calls it passing 'login' and 'password' as >> arguments. I made a dictionary in the format hashtable = >> {'login':'password'} and I use this hash table to compare the 'login' and >> 'password' that were passed in order to validate them. The problem is that >> any user who can execute the script will be able to read it too (since it >> must be read by python's interpreter), and this is causing some security >> issues since any user can access all other users' passwords if he opens this >> script and reads the code. >> >> My question is: is there a way of preventing the user from reading the >> script's content? Is there any strategy I could use to hide the passwords >> from the users? >> > > Yeah, that's a pretty major issue, right there :) > > The most common way to deal with this is to salt and hash your > passwords. While that might sound like a great thing to do to > potatoes, it's also the best way to stop your passwords from being > sniffed. > > Best practice is to combine the password with the user name and with > some fixed text (the "salt"), and then run it through a > cryptographically secure hashing algorithm. In Python 2.7, you have > the hashlib module: > >>>> import hashlib >>>> login = 'rosuav' >>>> password = 'xkcd936passwordgoeshere' >>>> encrypted = hashlib.sha256(login+'NaCl protects your >>>> passwords'+password).hexdigest() >>>> encrypted > 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c'
Please don't do that. It's insecure and not the proper way to handle passwords. In fact it's insecure on so many levels that I don't know where to start... A hash function and a fixed salt are always the wrong way to handle passwords. You must use a non-deterministic key stretching and key derivation function with a salt from a CPRNG. For example PBKDF2 (usually used with HMAC as PRF), bcrypt or scrypt are well studied and tune-able KDFs. You must also use a constant timing comparison function. You don't have to do all the hard stuff on your own. I highly recommend `passlib` to handle your passwords. It has a good API and is secure. Christian -- https://mail.python.org/mailman/listinfo/python-list