On 19 February 2015 at 13:21, Mads Kiilerich <[email protected]> wrote: >>> bcrypt: password hashing > > > This area is weird. On windows we don't use bcrypt but just hash the > password. Weird that it use different and compatible methods on different > platforms. Bad that windows use an insecure method (can be attacked with > rainbow tables). > > I don't know if there is some PBKDF2 implementation that would be better > than bcrypt. But we should at least use bcrypt everywhere (while staying > backward compatible).
The standard library provides hashlib.pbkdf2_hmac in 3.4+ and 2.7.8+: https://docs.python.org/3/library/hashlib.html#key-derivation-function https://docs.python.org/2/library/hashlib.html#key-derivation-function So you could do a module attribute check for that at runtime, and only fallback if it wasn't found. Alternatively, since you'd need a fallback option for older versions regardless, it might be useful to adopt the far more feature complete passlib: https://pythonhosted.org/passlib/ Regards, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ kallithea-general mailing list [email protected] http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
