just picking up on this again: I'm still wondering what the best approach is in a PySide app to get from the plain text password that a user enters in a widget to an encrypted version of it while minimising the risk of theft of the original password?! I am currently encrypting the password via rsa using a public key and decrypting it on the server side with a private key. That's all nice, but what about the text that is entered in the widget itself? Isn't it too easy to hack the code to grab the password before it is encrypted? Even if I distribute the respective pyside and password code as pyc?
Is it a feasible idea to have a pre-compiled PySide widget (not sure how to do that) that encrypts the password upon reception and only ever store the result of that? I guess this is a scenario where it would be of benefit to use C++ or other compiled languaes (which is beyond my knowledge). I would greatly appreciate people's input on this! Cheers, frank On 18/06/12 09:59, Frank Rueter | OHUfx wrote: > Thanks Srini. > > On 18/06/12 5:44 AM, Srini Kommoori wrote: >> For a desktop application, I would recommend using keyring >> http://pypi.python.org/pypi/keyring >> >> For file level password application, I would use PBKDF2 with very high >> iteration count. For my application, Safebox, I have used this method. >> Here are the details. >> http://safebox.fabulasolutions.com/p/safebox-crypto-architecture.html >> >> all the best >> >> On Jun 15, 2012, at 12:52 AM, Henry Gomersall<[email protected]> wrote: >> >>> On Fri, 2012-06-15 at 11:50 +1200, Frank Rueter | OHUfx wrote: >>>> I'm wondering about the best way to handle password input in PySide. >>>> I know about python's hashlib, but am wondering if there is a better >>>> way >>>> to provide security between the user's input into a PySide widget and >>>> the hashing. A friend was wondering about a precompiled widget that >>>> does >>>> the hashing directly so the password is never once stored anywhere as >>>> plain text. >>>> >>>> What are people's approaches for this? >>> so, in light of the recent LinkedIn debacle, the following was brought >>> to my attention: >>> >>> http://codahale.com/how-to-safely-store-a-password/ >>> >>> I'm not a security expert, which is why I feel the need to listen to all >>> the arguments! >>> >>> Cheers, >>> >>> Henry >>> >>> _______________________________________________ >>> PySide mailing list >>> [email protected] >>> http://lists.qt-project.org/mailman/listinfo/pyside > _______________________________________________ > PySide mailing list > [email protected] > http://lists.qt-project.org/mailman/listinfo/pyside _______________________________________________ PySide mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/pyside
