Reputation: 16285
Saving hashed passwords - Safe?
Would a Python script like this be safe to use? There would be a file "theFile" on the disk:
myPassHash = theFile.read()
enteredPassword = raw_input("Enter your password: ")
enteredHash = hashlib.sha512(enteredPassword)
if myPassHash == enteredHash:
print "Correct!"
else:
print "Incorrect!"
Upvotes: 1
Views: 334
Answers (5)
Reputation: 41918
You shouldn't be using a general purpose hash algorithm like SHA-2 for storing passwords, even with salts. Salts protect you from rainbow tables, but they won't protect you from brute-force attacks. Processing is cheap and easily available these days for anyone with a credit card, and if your database is compromised, even with salts someone can crack the poorly chosen passwords easily.
There are specific hash functions created for the purpose of storing passwords. The difference is that it allows you to adjust how many cycles of the encryption algorithm are used to generate your hash, and therefore how expensive it is to do it, or how long it takes. This makes brute force attacks much harder, even when much faster computers become available.
One of them is bcrypt, available for Python here:
>>> import bcrypt
>>> h = bcrypt.hashpw('lero', bcrypt.gensalt(10))
>>> j = bcrypt.hashpw('lero', bcrypt.gensalt(12))
>>> h
'$2a$10$FhdV1LfOPfxvHcwbWSZLiupbUL8i.som6GyqWue6VBwVgKK9cZcRi'
>>> j
'$2a$12$bgZ1eFD/VTGWUtA8jhnUcO7JjpIpBRjbNpQ9DcYQvtyQV4XsjAXU6'
>>>
The call to bcrypt.gensalt() determines how complex the generated hash is. As you can see, they both generate a hash, but the call with bcrypt.gensalt(12) takes longer. As computers get faster, you can increase that and regenerate the hashes from time to time, so brute force attacks won't ever be effective.
Upvotes: 2
Reputation: 491
Use passlib, don't write your own password crypto / checking code.
Upvotes: 0
Reputation: 6356
This looks like it's susceptible to a rainbow table attack, because you're not salting the password.
For more information on salts (and why it's a bad idea to roll your own authentication mechanism), read Eric Lippert's fabulous series on password salting.
Upvotes: 8
Reputation: 13289
Check out something like this
http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/
This is PHP, but it applies the same. You need a salt, at minimum
Upvotes: 0
Reputation: 4060
If you are going to use a hashing algorithm for password you probably want to use a salt as well. Take a look at this article about salts: http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
Upvotes: 3
Related Questions
- Safely handling passwords in Python?
- Python's safest method to store and retrieve passwords from a database
- Storing passwords with python
- Is it dangerous to store a password in a variable?
- Hashing Password in .py file
- Python - How to store hashed passwords
- Is SHA256 a good enough way to store passwords? (in py3)
- Python - Proper way to store passwords with scrypt?
- Python hashed password to use in different script?
- Password hash program