Table of Contents
Security
Quick links in case you need to verify things:
General Security
Shamus attempts to explain hashing then Use bcrypt to store passwords.
Consider py-bcrypt at code.google. No documentation there, yet. Old documentation.
At the bottom of this page, is the compiler used to make Python 2.6 and 2.7 Visual Studio 2008 Express.
On Windows, you'll have to make the following change:
$ diff bcrypt_python.c.org bcrypt_python.c 70a71,72 > char *password_copy; > char *salt_copy; 76,77c78,79 < char *password_copy = strdup(password); < char *salt_copy = strdup(salt); --- > password_copy = strdup(password); > salt_copy = strdup(salt);
Then you can build it with setup, like so:
c:\Python27\python.exe setup.py build
import bcrypt # Hash a password for the first time, with a randomly-generated salt hashed = bcrypt.hashpw(password, bcrypt.gensalt()) # gensalt's log_rounds parameter determines the complexity. # The work factor is 2**log_rounds, and the default is 12 hashed = bcrypt.hashpw(password, bcrypt.gensalt(10)) # Check that an unencrypted password matches one that has # previously been hashed if bcrypt.hashpw(password, hashed) == hashed: print "It matches" else: print "It does not match"
Never use passwords whose unsalted MD5 hash can be looked up here: http://md5.gromweb.com/
AES encryption of files in Python with PyCrypto. Note that pycrypto-2.3 can be built with the same c:\Python27\python.exe setup.py build
mechanism.
Someone suggested Whirlpool_(cryptography), it's offered in mhash, and a pure-python implementation from Bjorn Edstrom be@bjrn.se 16 december 2007 is here http://www.bjrn.se/code/whirlpoolpy.txt.
Verification
Maybe I should try to automate a way to verify the SHA1 Checksums of PGP signatures and upon success, verify the PHP signatures. Here's an old recipe: HOWTO: Verify a PGP Signature.
Keywords: crypt, cryptography pgp sha