Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #67345

Re: Password validation security issue

Path csiph.com!usenet.pasdenom.info!news.albasani.net!feeder.erje.net!eu.feeder.erje.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <python-python-list@m.gmane.org>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901; t=1393703685; bh=hifMoDGe/+RoFsl0NHECSDH6qQS2aBahXgBjKsPNTVw=; h=To:From:Subject:Date:References:In-Reply-To:From; b=FxXU39d5PaXcBabdQ+DZOejSy7L5SmEyZB6E/3ogcoQXYizZCdHqOmnm8a/q3yuSG tqXpTraq3zELqZjir52dOvOqN8IC2t4lTvmlqQG2NHfD8zkEMbIfGj3ZqlHjuWEv/t BacFhWZd+RyaCQC9ve0Iu3gFG7chDSwZ94blURGY=
X-Spam-Status OK 0.047
X-Spam-Evidence '*H*': 0.91; '*S*': 0.00; 'algorithm': 0.04; 'django,': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'python': 0.11; 'able,': 0.16; 'algorithm.': 0.16; 'from:name:christian heimes': 0.16; 'learnt': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'sad': 0.16; "skip:' 60": 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'from:addr:python.org': 0.16; 'wrote:': 0.18; '>>>': 0.22; 'header:User-Agent:1': 0.23; 'error': 0.23; 'own.': 0.24; 'password.': 0.24; "haven't": 0.24; 'header:X -Complaints-To:1': 0.27; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'skip:p 30': 0.29; '[1]': 0.29; 'am,': 0.29; '[2]': 0.30; 'dos': 0.30; "i'm": 0.30; 'code': 0.31; 'that.': 0.31; 'url:wiki': 0.31; 'usually': 0.31; 'clever': 0.31; 'fast.': 0.31; 'libraries': 0.31; 'url:wikipedia': 0.31; 'figure': 0.32; 'option': 0.32; 'common': 0.35; 'really': 0.36; 'passwords': 0.36; 'possible': 0.36; 'url:org': 0.36; 'christian': 0.38; 'implement': 0.38; 'handle': 0.38; 'to:addr:python-list': 0.38; 'fact': 0.38; 'rather': 0.38; 'anything': 0.39; 'recent': 0.39; 'explain': 0.39; 'bad': 0.39; 'extremely': 0.39; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'even': 0.60; 'above,': 0.60; 'algorithms': 0.60; 'most': 0.60; 'hardware': 0.61; 'information': 0.63; 'more': 0.64; 'articles': 0.65; 'levels': 0.65; 'capable': 0.67; 'mar': 0.68; 'secure': 0.71; 'low': 0.83; "adobe's": 0.84; 'insecure': 0.84; 'ksa': 0.84; 'protects': 0.84; 'short,': 0.84; 'start.': 0.84; 'technique.': 0.84; 'encrypted': 0.91; 'mistakes': 0.93
X-Injected-Via-Gmane http://gmane.org/
To python-list@python.org
From Christian Heimes <christian@python.org>
Subject Re: Password validation security issue
Date Sat, 01 Mar 2014 20:54:24 +0100
References <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com> <let920$fmn$1@ger.gmane.org> <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com>
Mime-Version 1.0
Content-Type text/plain; charset=ISO-8859-1
Content-Transfer-Encoding 7bit
X-Gmane-NNTP-Posting-Host 82.113.99.60
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
In-Reply-To <CAPTjJmq0MYQugUnsL52ZN0um=V3iABHmM4+vsffD=+2YV7t=MA@mail.gmail.com>
X-Enigmail-Version 1.5.2
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.7533.1393703687.18130.python-list@python.org> (permalink)
Lines 38
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1393703687 news.xs4all.nl 2964 [2001:888:2000:d::a6]:54729
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:67345

Show key headers only | View raw

On 01.03.2014 19:45, Chris Angelico wrote:
> On Sun, Mar 2, 2014 at 5:31 AM, Christian Heimes <christian@python.org> wrote:
>>>>>> encrypted = hashlib.sha256(login+'NaCl protects your passwords'+password).hexdigest()
>>>>>> encrypted
>>> 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c'
>>
>> Please don't do that. It's insecure and not the proper way to handle
>> passwords. In fact it's insecure on so many levels that I don't know
>> where to start...
> 
> Please do start. This is an extremely common practice; are you able,
> from just the information above, to figure out the password using
> anything better than brute force?

I'm aware that it's still a common technique. It makes me sad everytime
I see code that uses SHA256 for password hashing. :( Why haven't people
learnt from mistakes like LinkedIn's and Adobe's password disaster?

Yes, for most applications brute force is still the best option to crack
the password. Passwords are usually rather short, have a low entropy and
modern hardware is insanely fast. With software like [1] and a fast GPU
it is possible to do more than 10*10^9 checks/second for SHA-256.

Clever and very capable people have come up with algorithms like [2] to
make it much harder to crack passwords. The Wikipedia articles on KDF
and KSA explain both algorithm much better than I could. The PHC [3] is
a recent attempt to come up with an even more secure algorithm.

Please don't implement PBKDF2 on your own. Django, several other Python
libraries and OpenSSL did and made a really bad error that lead to a DoS
vulnerability.

Christian

[1] http://hashcat.net/oclhashcat/
[2] http://en.wikipedia.org/wiki/Key_derivation_function
[3] https://password-hashing.net/

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-01 09:49 -0800
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 19:31 +0100
  Re: Password validation security issue Tim Chase <python.list@tim.thechases.com> - 2014-03-01 12:38 -0600
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:43 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 05:45 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 20:54 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-01 15:25 -0500
      Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-01 23:07 +0100
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 09:13 +1100
  Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-02 07:11 +1100
  Re: Password validation security issue Christian Heimes <christian@python.org> - 2014-03-02 20:25 +0100
    Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-02 15:01 -0500
      Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 07:32 +1100
      Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 01:16 +0000
        Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:52 -0700
          Re: Password validation security issue Steven D'Aprano <steve@pearwood.info> - 2014-03-03 04:38 +0000
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 16:44 +1100
            Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 23:50 -0700
        Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-03 13:56 +1100
          Re: Password validation security issue Roy Smith <roy@panix.com> - 2014-03-03 08:41 -0500
            Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 00:55 +1100
              Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 16:46 +0000
                Re: Password validation security issue Chris Angelico <rosuav@gmail.com> - 2014-03-04 05:46 +1100
            Re: Password validation security issue MRAB <python@mrabarnett.plus.com> - 2014-03-03 16:29 +0000
            Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 17:41 +0000
  Re: Password validation security issue Renato <rvernucio@gmail.com> - 2014-03-02 15:10 -0800
    Re: Password validation security issue Ian Kelly <ian.g.kelly@gmail.com> - 2014-03-02 18:49 -0700
    Re: Password validation security issue Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-03-03 02:30 +0000

csiph-web