Kallithea internals overview
Nick Coghlan
ncoghlan at gmail.com
Thu Feb 19 05:21:36 EST 2015
On 19 February 2015 at 13:21, Mads Kiilerich <mads at kiilerich.com> wrote:
>>> bcrypt: password hashing
>
>
> This area is weird. On windows we don't use bcrypt but just hash the
> password. Weird that it use different and compatible methods on different
> platforms. Bad that windows use an insecure method (can be attacked with
> rainbow tables).
>
> I don't know if there is some PBKDF2 implementation that would be better
> than bcrypt. But we should at least use bcrypt everywhere (while staying
> backward compatible).
The standard library provides hashlib.pbkdf2_hmac in 3.4+ and 2.7.8+:
https://docs.python.org/3/library/hashlib.html#key-derivation-function
https://docs.python.org/2/library/hashlib.html#key-derivation-function
So you could do a module attribute check for that at runtime, and only
fallback if it wasn't found.
Alternatively, since you'd need a fallback option for older versions
regardless, it might be useful to adopt the far more feature complete
passlib: https://pythonhosted.org/passlib/
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the kallithea-general
mailing list