Path: csiph.com!usenet.pasdenom.info!news.etla.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901; t=1393698717; bh=bzhzfcDNSrjk75KaxF5PdZtRPll2jiLOcx5mDzUI05g=; h=To:From:Subject:Date:References:In-Reply-To:From; b=dhT3tRBhrtqEz8a522k2D+/HVEKINk94vq1F9kSOTzIFRHl9sREzwmzJkVNN8bMcf dkg7d3MJnh8petpYlFvD1RJcVPxpgaWgOygU89Lv00nWNo4pKO/9Akf/4IolHAOMt5 cWSaK7e1FZ6/tvaKHkaFoRijAHYHMVl8x/nl0sdE= X-Spam-Status: OK 0.006 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'causing': 0.04; 'everybody,': 0.07; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'yeah,': 0.09; 'api': 0.11; 'python': 0.11; 'algorithm.': 0.16; 'from:name:christian heimes': 0.16; 'hashlib': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; "skip:' 60": 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'from:addr:python.org': 0.16; 'wrote:': 0.18; 'code.': 0.18; 'passing': 0.19; "python's": 0.19; '(the': 0.22; 'example': 0.22; 'import': 0.22; 'header:User- Agent:1': 0.23; 'issue,': 0.24; 'own.': 0.24; 'skip:{ 20': 0.24; 'question': 0.24; 'login': 0.25; 'script': 0.25; 'compare': 0.26; 'header:X-Complaints-To:1': 0.27; 'header:In-Reply-To:1': 0.27; 'function': 0.29; 'fixed': 0.29; 'chris': 0.29; 'skip:p 30': 0.29; 'am,': 0.29; 'that.': 0.31; '(since': 0.31; '(usually': 0.31; '>>>>': 0.31; 'comparison': 0.31; 'constant': 0.31; 'stuff': 0.32; 'run': 0.32; 'text': 0.33; 'implemented': 0.33; 'table': 0.34; 'could': 0.34; 'problem': 0.35; 'common': 0.35; 'there': 0.35; 'passwords': 0.36; 'wrong': 0.37; 'too': 0.37; 'being': 0.38; 'christian': 0.38; 'handle': 0.38; 'to:addr:python-list': 0.38; 'fact': 0.38; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'major': 0.40; 'read': 0.60; 'most': 0.60; 'name': 0.63; 'skip:n 10': 0.64; 'strategy': 0.64; 'great': 0.65; 'levels': 0.65; 'mar': 0.68; 'reads': 0.68; 'sound': 0.68; 'secure': 0.71; 'insecure': 0.84; 'preventing': 0.84; 'protects': 0.84; 'encrypted': 0.91; 'opens': 0.91 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Christian Heimes Subject: Re: Password validation security issue Date: Sat, 01 Mar 2014 19:31:10 +0100 References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: 82.113.99.60 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 In-Reply-To: X-Enigmail-Version: 1.5.2 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 44 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1393698719 news.xs4all.nl 2965 [2001:888:2000:d::a6]:54061 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:67334 On 01.03.2014 19:11, Chris Angelico wrote: > On Sun, Mar 2, 2014 at 4:49 AM, Renato wrote: >> Hello everybody, I implemented a password validation with a Python 2.7.5 script in OpenSUSE 13.1. The user calls it passing 'login' and 'password' as arguments. I made a dictionary in the format hashtable = {'login':'password'} and I use this hash table to compare the 'login' and 'password' that were passed in order to validate them. The problem is that any user who can execute the script will be able to read it too (since it must be read by python's interpreter), and this is causing some security issues since any user can access all other users' passwords if he opens this script and reads the code. >> >> My question is: is there a way of preventing the user from reading the script's content? Is there any strategy I could use to hide the passwords from the users? >> > > Yeah, that's a pretty major issue, right there :) > > The most common way to deal with this is to salt and hash your > passwords. While that might sound like a great thing to do to > potatoes, it's also the best way to stop your passwords from being > sniffed. > > Best practice is to combine the password with the user name and with > some fixed text (the "salt"), and then run it through a > cryptographically secure hashing algorithm. In Python 2.7, you have > the hashlib module: > >>>> import hashlib >>>> login = 'rosuav' >>>> password = 'xkcd936passwordgoeshere' >>>> encrypted = hashlib.sha256(login+'NaCl protects your passwords'+password).hexdigest() >>>> encrypted > 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c' Please don't do that. It's insecure and not the proper way to handle passwords. In fact it's insecure on so many levels that I don't know where to start... A hash function and a fixed salt are always the wrong way to handle passwords. You must use a non-deterministic key stretching and key derivation function with a salt from a CPRNG. For example PBKDF2 (usually used with HMAC as PRF), bcrypt or scrypt are well studied and tune-able KDFs. You must also use a constant timing comparison function. You don't have to do all the hard stuff on your own. I highly recommend `passlib` to handle your passwords. It has a good API and is secure. Christian