|
|
|
|
|
|
by jjawssd
3664 days ago
|
|
|
> No, you shouldn't. Your library should do that for you, and store it as a single string that's opaque to the developer. I completely disagree. This implies that my DB ORM handles password stuff, which doesn't make sense. Python 3 example: Syntax:
hashlib.pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) Example: >>> dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000) >>> binascii.hexlify(dk) b'0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5' Extremely simple and safe to use. Trivial to store and save/retrieve the salt from DB. |
|
|
1) You need to store the salt alongside the password.
2) If you want to futureproof the stretching factor (e.g. change from 100000 to 1000000), you need to store that alongside the password hash as well.
3) If you want to futureproof the hashing algorithm, you need to store that alongside the password hash.
The value of the *crypt solutions is that they store the input parameters as part of the stored secret. So you can make adjustments later on without invalidating existing stored passwords, or having to resort to annoying "double-hashes" to migrate to a new approach.
I don't understand your comment about the ORM needing to handle passwords. It's a simple fetch of a field from the DB, which you then pass as an input to your password validator. How is that any harder than fetching a salt and a hash and passing those to your validator?