patternpythonMinor
Is this a secure way to hash a password?
Viewed 0 times
thissecurewayhashpassword
Problem
I'm implementing a login system on app engine (I have to, so please don't tell me to use the User service, or an other way to delegate authentication), and I'm wondering whether this setup is secure.
Would this be a secure way to store passwords?
from pbkdf2 import PBKDF2
import os
salt = os.urandom(8)
password = PBKDF2(passphrase, salt).read(32).encode("hex")Would this be a secure way to store passwords?
Solution
Pretty much, yes. PBKDF2 is a well-established algorithm, and
Your implementation is also brutally simple. The simpler a system, the more secure it can be. Needless complexity leads to insecurities.
So yes, the system is secure, but it is also subject to Moore's law, just like every other computer system or piece of software. To get around this, the number of rounds (iterations) in strong encryption algorithms is a variable taken into account.
In bcrypt, for example, the number of rounds is
os.urandom is a suitable CSPRNG that can be used in salt generation on all major platforms (patched, of course).Your implementation is also brutally simple. The simpler a system, the more secure it can be. Needless complexity leads to insecurities.
So yes, the system is secure, but it is also subject to Moore's law, just like every other computer system or piece of software. To get around this, the number of rounds (iterations) in strong encryption algorithms is a variable taken into account.
In bcrypt, for example, the number of rounds is
2^workload (default 12), and in PBKDF2 the number of rounds is an int passed to the function. Beware that if you need to use a Cython interface, your password hashing is a strongly blocking call (this has bitten me before)Context
StackExchange Code Review Q#24657, answer score: 5
Revisions (0)
No revisions yet.