Hi pyca/cryptography community, In my company, we're currently confronted with all the bcrypt vs pbkd2 vs scrypt vs argon discussions and choices. For each there are further choices to be made about salts-sizes, hash-counts, hash-algos...
Currently pyca/cryptography only has a PBKDF2HMAC module in the hazmat section, that can be used for password hashing but is presented as a key-derivation algo... which it technically is. I'm looking for a higher, non-hazmat, level password-hashing specific module... Any good libraries available? Ideally based on pyca/cryptography - although the implementation choices seem limited (just PBKDF2 unless I missed some...). I've got some prototype code to see how much we could possibly abstract the interface to deal with passwords. Please look at the example python notebook in this gist: https://gist.github.com/franks42/6edb914203ab7f5a0b151fe0a21e6150 Hopefully that shows some of the interface requirements: * hide low level key-derivation "stuff" from developers * work with opaque html/url-friendly tokens to store in the user-passwd-db * find easy way to manage policy changes and upgrade affected passwordhash-tokens * make "easy" migration to the ultimate future algo feasilble (argon2?) Ideas/suggestions/feedback much appreciated! Thanks, Frank. _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
