Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67345

Re: Password validation security issue

From Christian Heimes <christian@python.org>
Subject Re: Password validation security issue
Date 2014-03-01 20:54 +0100
References <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.7533.1393703687.18130.python-list@python.org> (permalink)

Show all headers | View raw

On 01.03.2014 19:45, Chris Angelico wrote:
> On Sun, Mar 2, 2014 at 5:31 AM, Christian Heimes <christian@python.org> wrote:
>>>>>> encrypted = hashlib.sha256(login+'NaCl protects your passwords'+password).hexdigest()
>>>>>> encrypted
>>> 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c'
>>
>> Please don't do that. It's insecure and not the proper way to handle
>> passwords. In fact it's insecure on so many levels that I don't know
>> where to start...
> 
> Please do start. This is an extremely common practice; are you able,
> from just the information above, to figure out the password using
> anything better than brute force?

I'm aware that it's still a common technique. It makes me sad everytime
I see code that uses SHA256 for password hashing. :( Why haven't people
learnt from mistakes like LinkedIn's and Adobe's password disaster?

Yes, for most applications brute force is still the best option to crack
the password. Passwords are usually rather short, have a low entropy and
modern hardware is insanely fast. With software like [1] and a fast GPU
it is possible to do more than 10*10^9 checks/second for SHA-256.

Clever and very capable people have come up with algorithms like [2] to
make it much harder to crack passwords. The Wikipedia articles on KDF
and KSA explain both algorithm much better than I could. The PHC [3] is
a recent attempt to come up with an even more secure algorithm.

Please don't implement PBKDF2 on your own. Django, several other Python
libraries and OpenSSL did and made a really bad error that lead to a DoS
vulnerability.

Christian

[1] http://hashcat.net/oclhashcat/
[2] http://en.wikipedia.org/wiki/Key_derivation_function
[3] https://password-hashing.net/

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web