Path: csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.136
X-Spam-Level: *
X-Spam-Evidence: '*H*': 0.74; '*S*': 0.02; 'cc:addr:python-list': 0.11; 'able,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; "skip:' 60": 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'cc:addr:python.org': 0.22; 'cc:2**0': 0.24; 'header:In-Reply- To:1': 0.27; 'skip:p 30': 0.29; 'am,': 0.29; 'message- id:@mail.gmail.com': 0.30; 'that.': 0.31; 'figure': 0.32; 'common': 0.35; 'received:google.com': 0.35; 'christian': 0.38; 'handle': 0.38; 'fact': 0.38; 'anything': 0.39; 'extremely': 0.39; 'above,': 0.60; 'information': 0.63; 'levels': 0.65; 'mar': 0.68; 'insecure': 0.84; 'protects': 0.84; 'start.': 0.84; 'encrypted': 0.91; 'to:none': 0.92
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=0lwmtzEcfwruohaSZBIM3WLMPAnOvsk911e1crXJPGU=; b=VQNTO9DeZAm1g+CyYHFf+DrOPgLYbTPOiwvIxQ0BNgvA12+Dba7e9JJBRbpGROT9Df 3IEFzt5cEU0SfgEN7LY+ipwZIPS9+YU3a1X7x5tG1LVIR1LXl5Ax/953XlVZMMqVndHe xJ31GMNWCMvb3M3OCigpTOu+WO2GgKx5keF2ovhYshA4FwzFw7YmyR+PsvPsz9vbAHQl m2HULeWfrzrx2HXMIsTCtHMhoEZ8WkwnibCi+mTGLAkXP/qSBsTKjjwJQPHoSbGVi3GC 6UfpNMIsq2/kA95S1gj0CuiE/E6Ra7BErKaMkjivsFyW5+5dAb9qrZ/MbigrVXXovZyi sVQg==
MIME-Version: 1.0
X-Received: by 10.66.146.229 with SMTP id tf5mr10757153pab.50.1393699508425; Sat, 01 Mar 2014 10:45:08 -0800 (PST)
In-Reply-To: <let920$fmn$1@ger.gmane.org>
References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org>
Date: Sun, 2 Mar 2014 05:45:08 +1100
Subject: Re: Password validation security issue
From: Chris Angelico <rosuav@gmail.com>
Cc: "python-list@python.org" <python-list@python.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7527.1393699511.18130.python-list@python.org>
Lines: 14
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1393699512 news.xs4all.nl 2911 [2001:888:2000:d::a6]:33583
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:67337

On Sun, Mar 2, 2014 at 5:31 AM, Christian Heimes <christian@python.org> wrote:
>>>>> encrypted = hashlib.sha256(login+'NaCl protects your passwords'+password).hexdigest()
>>>>> encrypted
>> 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c'
>
> Please don't do that. It's insecure and not the proper way to handle
> passwords. In fact it's insecure on so many levels that I don't know
> where to start...

Please do start. This is an extremely common practice; are you able,
from just the information above, to figure out the password using
anything better than brute force?

ChrisA