Page Review - Hashing

[Craig Younkins]

I've been putting a lot of work into the hashing page on the PythonSecurity wiki - http://www.pythonsecurity.org/wiki/hashing/

I'd love your comments on how the page reads and any suggestions for improvement. Is everything clear? Is anything missing? Thanks!

Craig Younkins

[Vitor M. A. da Cruz]

   In order to avoid people reinventing the wheel when hashing passwords, it could be interesting to mention established password hashing techniques, like bcrypt [1][2]

[1] - A Future-Adaptable Password Scheme: http://www.openbsd.org/papers/bcrypt-paper.ps

[2] - py-bcrypt: http://www.mindrot.org/projects/py-bcrypt/

   Thanks;
   Vitor M. A. da Cruz

[Craig Younkins]

bcrypt/scrypt has come up a lot in the past 2 days it seems. My basic sentiment is this: while I really like the ideas behind it and I hope we see more like it, bcrypt and scrypt are not approved by NIST. The recommended scheme of SHA-2, 64-bit random salt, 1000 iterations was developed by NSA and is recommended by NIST [1].

[1] http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

Craig Younkins

[Steve Bywater]

If you want to really help n00bs, I think it's import to note that
hashes are "one way", as opposed to encryption which allows for
decryption. For the same audience, perhaps a description of how they
are used and why. Maybe this text or similar: A typical use pattern is
to store a hash of a password, so then a user logs in with a password,
that password is hashed and compared to the stored hash. This allows
for the application to do password based authentication, without
having to store a password that could be misused if it got into the
wrong hands.

Keep it up!
- Steve

[Craig Younkins]

Thanks Steve. I added that information to the page in the last paragraph of the leading section.

Craig Younkins