On 2011-08-05 23:20 +0700, michael kapelko wrote:
> In search of a good auth doc I came across this article:
> http://unixpapa.com/auth/homebuilt.html
> This looks very reasonable.
Use this for encryption:
http://www.mindrot.org/projects/py-bcrypt/
It's a sloooow algorithm which is exactly what you need for password
(attackers take longer time to crack, and it's not so slow that it's
uncomfortable for end users).
This guy (gal?) explains what it's about:
http://codahale.com/how-to-safely-store-a-password/
tl;dr: MD5 takes a millisecond, bcrypt takes 0.3 seconds. You can
imagine what it would look like for an attacker that wants to try out
1M combinations. (My maths suck but I think 0.3 hrs MD5 3.5 days on
bcrypt?).
--
Branko Vukelic
[email protected]
[email protected]
Lead Developer
Herd Hound (tm) - Travel that doesn't bite
www.herdhound.com
Love coffee? You might love Loveffee, too.
loveffee.appspot.com
--
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/webpy?hl=en.
