HiveBrain v1.2.0
Get Started
← Back to all entries
patternpythonMinor

Is this a secure way to hash a password?

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
thissecurewayhashpassword

Problem

I'm implementing a login system on app engine (I have to, so please don't tell me to use the User service, or an other way to delegate authentication), and I'm wondering whether this setup is secure.

from pbkdf2 import PBKDF2
import os

salt = os.urandom(8)    
password = PBKDF2(passphrase, salt).read(32).encode("hex")


Would this be a secure way to store passwords?

Solution

Pretty much, yes. PBKDF2 is a well-established algorithm, and os.urandom is a suitable CSPRNG that can be used in salt generation on all major platforms (patched, of course).

Your implementation is also brutally simple. The simpler a system, the more secure it can be. Needless complexity leads to insecurities.

So yes, the system is secure, but it is also subject to Moore's law, just like every other computer system or piece of software. To get around this, the number of rounds (iterations) in strong encryption algorithms is a variable taken into account.

In bcrypt, for example, the number of rounds is 2^workload (default 12), and in PBKDF2 the number of rounds is an int passed to the function. Beware that if you need to use a Cython interface, your password hashing is a strongly blocking call (this has bitten me before)

Context

StackExchange Code Review Q#24657, answer score: 5

Revisions (0)

No revisions yet.