Page Review - Hashing

13 views
Skip to first unread message

Craig Younkins

unread,
Jul 21, 2010, 11:28:26 AM7/21/10
to python-...@googlegroups.com
I've been putting a lot of work into the hashing page on the PythonSecurity wiki - http://www.pythonsecurity.org/wiki/hashing/

I'd love your comments on how the page reads and any suggestions for improvement. Is everything clear? Is anything missing? Thanks!

Craig Younkins

Vitor M. A. da Cruz

unread,
Jul 21, 2010, 12:09:47 PM7/21/10
to python-...@googlegroups.com
   In order to avoid people reinventing the wheel when hashing passwords, it could be interesting to mention established password hashing techniques, like bcrypt [1][2]


[1] - A Future-Adaptable Password Scheme: http://www.openbsd.org/papers/bcrypt-paper.ps

   Thanks;
   Vitor M. A. da Cruz

Craig Younkins

unread,
Jul 21, 2010, 1:25:49 PM7/21/10
to python-...@googlegroups.com
bcrypt/scrypt has come up a lot in the past 2 days it seems. My basic sentiment is this: while I really like the ideas behind it and I hope we see more like it, bcrypt and scrypt are not approved by NIST. The recommended scheme of SHA-2, 64-bit random salt, 1000 iterations was developed by NSA and is recommended by NIST [1].

Steve Bywater

unread,
Jul 21, 2010, 3:19:06 PM7/21/10
to python-...@googlegroups.com
If you want to really help n00bs, I think it's import to note that
hashes are "one way", as opposed to encryption which allows for
decryption. For the same audience, perhaps a description of how they
are used and why. Maybe this text or similar: A typical use pattern is
to store a hash of a password, so then a user logs in with a password,
that password is hashed and compared to the stored hash. This allows
for the application to do password based authentication, without
having to store a password that could be misused if it got into the
wrong hands.

Keep it up!
- Steve

Craig Younkins

unread,
Jul 21, 2010, 3:35:28 PM7/21/10
to python-...@googlegroups.com
Thanks Steve. I added that information to the page in the last paragraph of the leading section.

Craig Younkins
Reply all
Reply to author
Forward
0 new messages