User Tools

Site Tools


security

This is an old revision of the document!


Security

Shamus attempts to explain hashing then Use bcrypt to store passwords.

Consider py-bcrypt at code.google. No documentation there, yet. Old documentation.

At the bottom of this page, is the compiler used to make Python 2.6 and 2.7 Visual Studio 2008 Express.

On Windows, you'll have to make the following change:

$ diff bcrypt_python.c.org bcrypt_python.c
70a71,72
>       char *password_copy;
>       char *salt_copy;
76,77c78,79
<       char *password_copy = strdup(password);
<       char *salt_copy = strdup(salt);
---
>       password_copy = strdup(password);
>       salt_copy = strdup(salt);

Then you can build it with setup, like so:

c:\Python27\python.exe setup.py build
import bcrypt

# Hash a password for the first time, with a randomly-generated salt
hashed = bcrypt.hashpw(password, bcrypt.gensalt())

# gensalt's log_rounds parameter determines the complexity.
# The work factor is 2**log_rounds, and the default is 12
hashed = bcrypt.hashpw(password, bcrypt.gensalt(10))

# Check that an unencrypted password matches one that has
# previously been hashed
if bcrypt.hashpw(password, hashed) == hashed:
    print "It matches"
else:
    print "It does not match"

Never use passwords whose unsalted MD5 hash can be looked up here: http://md5.gromweb.com/

AES encryption of files in Python with PyCrypto. Note that pycrypto-2.3 can be built with the same c:\Python27\python.exe setup.py build mechanism.

Someone suggested Whirlpool_(cryptography), it's offered in mhash, and a pure-python implementation from Bjorn Edstrom be@bjrn.se 16 december 2007 is here http://www.bjrn.se/code/whirlpoolpy.txt.

Verification

Maybe I should try to automate a way to verify the SHA1 Checksums of PGP signatures and upon success, verify the PHP signatures. Here's an old recipe: HOWTO: Verify a PGP Signature.

Keywords: crypt, cryptography pgp sha

security.1316017431.txt.gz · Last modified: 2023/04/12 20:44 (external edit)