Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!eternal-september.org!feeder.eternal-september.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <ian.g.kelly@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.022
X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'binary': 0.07; 'debugging': 0.07; 'intermediate': 0.07; 'guys!': 0.09; 'linear': 0.09; 'replication': 0.09; 'runs': 0.10; 'python': 0.11; 'suggest': 0.14; 'question.': 0.14; 'random': 0.14; 'posted': 0.15; 'general.': 0.16; 'learnt': 0.16; 'protecting': 0.16; 'script,': 0.16; 'storing': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'written': 0.21; 'separate': 0.22; 'sends': 0.24; "shouldn't": 0.24; 'math': 0.24; 'script': 0.25; 'header:In-Reply-To:1': 0.27; 'message-id:@mail.gmail.com': 0.30; "i'm": 0.30; 'code': 0.31; 'reply.': 0.31; 'requests': 0.31; 'class': 0.32; 'service,': 0.32; 'another': 0.32; 'actual': 0.34; 'could': 0.34; 'but': 0.35; 'received:google.com': 0.35; 'passwords': 0.36; 'material': 0.36; "i'll": 0.36; 'so,': 0.37; 'implement': 0.38; 'thank': 0.38; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'does': 0.39; 'to:addr:python.org': 0.39; 'how': 0.40; 'course.': 0.60; 'is.': 0.60; 'year.': 0.61; 'numbers': 0.61; 'took': 0.61; 'matter': 0.61; 'simple': 0.61; "you've": 0.63; 'skip:n 10': 0.64; 'more': 0.64; 'effectively': 0.66; 'mar': 0.68; 'secure': 0.71; 'attention': 0.75; 'account.': 0.80; 'algorithm,': 0.84; 'locked': 0.84; 'stochastic': 0.84; 'simulation': 0.91; 'thing,': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=3whRYT6H1GivR0CItDbtFGymXwJrLQxhIndQb9XoN48=; b=Y36jLBVca4BvKtKaIwR6v3yuZ2RiGWvTclIa3tZRjFRgSE0ObhPFBbS8g4GYLZ1hWz mWYSVqwqxrzGYP9YX/WfytErxLeFgRtjTwWBO/4yp85UbYqDSi0liafGayTAVs0RDabP gTaVpnocBE3ZzzhQglTrWB1ekDEQgw8vz0QuYeY3zsNxtEH8iRbEeQQ96FuV6CwhzoDS X+YCsxX7U9fOheyaiez/OyefVxmULGArv7QivnII7GKNk3LuYWoqMHD9nKdUD9/i8YFK RvHXLwXUThUd3mnEZ3du7rJ3HC+INDZRaJMb1i3eqdEIzREa2ajysUPfet0NnEsUTu+1 ribw==
X-Received: by 10.66.171.76 with SMTP id as12mr16898211pac.52.1393811407424; Sun, 02 Mar 2014 17:50:07 -0800 (PST)
MIME-Version: 1.0
In-Reply-To: <fe1cbc09-7004-42b4-b1ed-69b8083013eb@googlegroups.com>
References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <fe1cbc09-7004-42b4-b1ed-69b8083013eb@googlegroups.com>
From: Ian Kelly <ian.g.kelly@gmail.com>
Date: Sun, 2 Mar 2014 18:49:27 -0700
Subject: Re: Password validation security issue
To: Python <python-list@python.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7617.1393811410.18130.python-list@python.org>
Lines: 29
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1393811410 news.xs4all.nl 2903 [2001:888:2000:d::a6]:41476
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:67498

On Sun, Mar 2, 2014 at 4:10 PM, Renato <rvernucio@gmail.com> wrote:
> I would like to thank every one who posted a reply. I learnt a lot from y=
ou, guys! I appreciate your attention and your help :)
>
> I took a class on Computer Simulation last year. It was told that determi=
nistic (pseudo-)random numbers are excellent for simulations, because they =
allow debugging and replication when using a seed(). But it was said that d=
eterministic random numbers weren't indeed suitable for encryption and secu=
rity issues in general. For this purpose, non-deterministc stochastic metho=
ds would be more indicated. I learnt a lot about deterministic random numbe=
rs generation in this course, like using Mersenne Twister algorithm, but I =
learnt nothing about encryption, since it wasn't in the scope of that cours=
e. Could you suggest some introductory material concerning encryption? I ha=
ve an intermediate math background (calculus, linear algebra etc) and I'm w=
illing to learn more about security matters.
>
> One last thing, about my original question. So, the only way of encapsula=
ting a Python script content is to code a simple binary program to call it?

Another alternative would be to implement the script as a service that
runs under a separate account.  All the user can directly access is a
client script that sends requests to the service, which does the
actual work and is effectively encapsulated.

I'll also reiterate what others have written about protecting
passwords.  No matter how much you think you've locked down the
script, you shouldn't be storing plaintext passwords *anywhere*.
Remember that nothing that you code will ever be as secure as you
think it is.