To generate the hash with salt:
# gensalt's log_rounds parameter determines the complexity.
# The work factor is 2**log_rounds, and the default is 12
hashed = bcrypt.hashpw(password, bcrypt.gensalt(10))
To validate a submitted password:
# Check that an unencrypted password matches one that has
# previously been hashed
if bcrypt.hashpw(password, hashed) == hashed:
print "It matches"
else:
print "It does not match"
Wait a minute. There's no such thing as a free lunch.
Assuming gensalt() produces a unique random salt each time, then the result of:
bcrypt.gensalt(10)
must have been placed into some kind of persistent storage associated with
the user's login. So where is it? And how do we back it up? And why is this
better than storing the salt value in the table with the user's login?
If it doesn't produce a unique random salt each time, then bcrypt would
have to be brute-force testing some finite number of pre-determined salt
values for each validation until it finds the one that matches or exhausts
all of the possibilities. Maybe this is how the amount of time this takes
gets controlled. But if there's a finite number of pre-determined salt
values, even if that number is very large, then it can be cracked eventually.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
