"Steve D'Aprano" wrote in message
news:585d009f$0$1599$c3e8da3$54964...@news.astraweb.com...
On Fri, 23 Dec 2016 09:19 pm, Frank Millman wrote:
>
> 3. Generate the password from the string supplied by the user as
> follows -
> from hashlib import blake2b
> password = blake2b('my_password'.encode('utf-8'),
> salt=salt).digest()
>
> The hashlib docs have the following warning -
>
> "Salted hashing (or just hashing) with BLAKE2 or any other
> general-purpose
> cryptographic hash function, such as SHA-256, is not suitable for
> hashing
> passwords. See BLAKE2 FAQ for more information."
Why are using Blake2 when the docs explicitly say not to use them in this
way? Have you read the FAQ to see what it says?
Why am I using Blake2? Well, before today I had not heard of it. However, in
the past, when I needed to create a hashed password, I used the built-in
hashlib module. Today, when I look at the docs for hashlib in Python 3.6,
this is the new sub-heading -
"15.2. hashlib — BLAKE2 hash functions"
So it appears that this is the new preferred way of doing it.
This is what the Blake2 FAQ says -
"You shouldn't use *any* general-purpose hash function for user passwords,
not BLAKE2, and not MD5, SHA-1, SHA-256, or SHA-3. Instead you should use a
password hashing function such as the PHC winner Argon2 with appropriate
time and memory cost parameters, to mitigate the risk of bruteforce
attacks—Argon2's core uses a variant of BLAKE2's permutation"
I see that there is a Python implementation of Argon2 in PyPi, but I don't
particularly want to add another dependency to my app. My gut-feel says that
this is overkill for my requirement. However, I am not sure. That is partly
why I started this thread, to get some counter-arguments.
Frank
--
https://mail.python.org/mailman/listinfo/python-list
