Kallithea internals overview

Nick Coghlan ncoghlan at gmail.com
Thu Feb 19 05:21:36 EST 2015


On 19 February 2015 at 13:21, Mads Kiilerich <mads at kiilerich.com> wrote:
>>> bcrypt: password hashing
>
>
> This area is weird. On windows we don't use bcrypt but just hash the
> password. Weird that it use different and compatible methods on different
> platforms. Bad that windows use an insecure method (can be attacked with
> rainbow tables).
>
> I don't know if there is some PBKDF2 implementation that would be better
> than bcrypt. But we should at least use bcrypt everywhere (while staying
> backward compatible).

The standard library provides hashlib.pbkdf2_hmac in 3.4+ and 2.7.8+:

https://docs.python.org/3/library/hashlib.html#key-derivation-function
https://docs.python.org/2/library/hashlib.html#key-derivation-function

So you could do a module attribute check for that at runtime, and only
fallback if it wasn't found.

Alternatively, since you'd need a fallback option for older versions
regardless, it might be useful to adopt the far more feature complete
passlib: https://pythonhosted.org/passlib/

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia


More information about the kallithea-general mailing list