[google-appengine] Re: Using custom method to encrypt password in webapp2

[Richard Cheesmar]

try something like this:


def hashing(plaintext, salt="", sha="512"):
    """ Returns the hashed and encrypted hexdigest of a plaintext and salt"""
    app = webapp2.get_app()

    # Hashing
    if sha == "1":
        phrase = hashlib.sha1()
    elif sha == "256":
        phrase = hashlib.sha256()
    else:
        phrase = hashlib.sha512()
    phrase.update("%s@%s" % (plaintext, salt))
    phrase_digest = phrase.hexdigest()

    # Encryption (PyCrypto)
    # wow... it's so secure :)
    try:
        from Crypto.Cipher import AES

        mode = AES.MODE_CBC

        # We can not generate random initialization vector because is difficult 
to retrieve them later without knowing
        # a priori the hash to match. We take 16 bytes from the hexdigest to 
make the vectors different for each hashed
        # plaintext.
        iv = phrase_digest[:16]
        encryptor = AES.new(app.config.get('aes_key'), mode, iv)
        ciphertext = [encryptor.encrypt(chunk) for chunk in 
chunks(phrase_digest, 16)]
        return ''.join(ciphertext)
    except Exception, e:
        logging.error("CRYPTO is not running: {}".format(e))
        raise



On Monday, January 4, 2016 at 8:12:37 AM UTC+2, A. Kong wrote:
>
> Hi all,
>
> If I understand it correctly, GAE webapp2 encrypts password using SHA1 
>  (see method create_user as in 
> https://webapp-improved.appspot.com/_modules/webapp2_extras/appengine/auth/models.html
> )
>
> I want to be able to switch to SHA-256 or other algorithm. Is there any 
> official way to override this?  I found this github repo and its 
> recommendation seems to be rolling your own RequestHandler. Is it a good 
> approach? Is there any other alternative?
>
> There is a related  entry in the archived bug tracker 
> https://code.google.com/p/webapp-improved/issues/detail?id=57  Is the 
> comment there still up to date? 
>
> Cheers
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/76adea80-d52b-481a-91ba-acaaa5efd45d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.