Does Passlib follow « Password Storage » of Mozilla Security Guilines

[Stéphane Klein]

Hi,

I've read « Password Storage » section of Mozilla Security Guidelines : https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Password_Storage

I look for a generic (and independent) python library to perform "hash_password" and "verify_password" which follow this « Password storage » Guideline (hmac + bcrypt).

Has Passlib a feature to follow this Password Storage guideline (hmac + bcrypt) ?

Best regards,
Stephane

[Eli Collins]

Hi!

I've seen similar constructions in a few places, sometimes referring to the application-defined key as a "pepper" (as opposed to a the randomly generated "salt" that's unique to each hash).   Sadly, Passlib doesn't currently offer a peppered version of bcrypt (or any other hash).   However, I'm currently looking into adding support in the next (v1.7) release of Passlib.   There are number of different constructions which can be used (though pretty much all are based around the idea of HMAC + <password hash>), and I want to pick the most flexible one before releasing it. 

In the meantime, if you're interested, feel free to subscribe to issue 38 on the passlib issue tracker.   That issue will get updated when a workable implementation is added, and when it's released; though my day job is currently keeping me rather busy, and I'm not sure what the ETA on the 1.7 release is going to be.

Cheers,

- Eli

--
You received this message because you are subscribed to the Google Groups "passlib-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to passlib-user...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.