Reputation: 2299
Best practices for storing passwords in GAE/python
I need to implement password storage in my GAE/python2.7 app. I've already implemented cookies for authorization, I already have a Account/user model, and I already have authentication via 3rd parties. Now I need to add authentication via password (a customer request).
I want the passwords to be stored securely. I've identified a couple of options (below), that seem sensible, but I've never implemented password storage before, so I dont know what I dont know. I'd rather avoid a problem than wait for a problem.
My question is: is this best practice for GAE? If not, what is?
Note that I'm only looking for a way to hash passwords prior to storage, and compare. I don't need a full-stack users module.
I've already reviewed a previous question which is helpful, but doesnt directly solve my problem.
The options:
Use Django. Something like
import django.contrib.auth.hashers as foo to_store_in_db = foo.make_password(conforming_password) # later passes = foo.check_password(entered_password, password_from_db)(we dont currently use Django in our app, so we can use whichever we prefer, but I'm proposing 1.4 because it the most recent available in GAE that isnt the moving target of 'latest' )
Use webapp2_extras.security - similar to the above, but using
generate_password_hash() #Seems like it only supports md5/sha1 check_password_hash()
thanks
tom
Upvotes: 3
Views: 507
Answers (1)
Reputation: 23995
There is a built-in function just for that: https://docs.python.org/2/library/hashlib.html#key-derivation-function.
>>> import hashlib, binascii
>>> dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000)
>>> binascii.hexlify(dk)
b'0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5'
Where salt should be random string stored in databae alongside password. This uses sha256 which seems to be good enough for this purpose.
Getting good (securely random) sald might be a problem, but on newer versions of GAE you can specify pycrypto dependency, and use:
from Crypto.Random import get_random_bytes
Upvotes: 2
Related Questions
- GAE: best practices for storing secret keys?
- Managing users authentication in Google App Engine
- Custom user authentication for GAE project
- App Engine: what are best practices for transmitting a password and storing it securely in Google App Engine?
- Google App Engine good way to send and store passwords
- User authentication best practices
- How to best store credentials in a GAE app?
- How to protect a Google App Engine app with a password?
- Google app engine users Auth: Djangoappengine Vs Web2py Vs Webpy
- i *must* store third party credentials in my database. best way?