92 lines
1.6 KiB
Plaintext
92 lines
1.6 KiB
Plaintext
== How to fix it in Python Standard Library
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
Code targeting scrypt:
|
|
|
|
[source,python,diff-id=206,diff-type=noncompliant]
|
|
----
|
|
from hashlib import scrypt
|
|
|
|
def hash_password(password, salt):
|
|
return scrypt(
|
|
password,
|
|
salt,
|
|
n=1 << 10, # Noncompliant: N is too low
|
|
r=8,
|
|
p=2,
|
|
dklen=64
|
|
)
|
|
----
|
|
|
|
Code targeting PBKDF2:
|
|
|
|
[source,python,diff-id=266,diff-type=noncompliant]
|
|
----
|
|
from hashlib import pbkdf2_hmac
|
|
|
|
def hash_password(password, salt):
|
|
return pbkdf2_hmac(
|
|
'sha1',
|
|
password,
|
|
salt,
|
|
500_000 # Noncompliant: not enough iterations for SHA-1
|
|
)
|
|
----
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
Code targeting scrypt:
|
|
|
|
[source,python,diff-id=206,diff-type=compliant]
|
|
----
|
|
from hashlib import scrypt
|
|
|
|
def hash_password(password, salt):
|
|
return scrypt(
|
|
password,
|
|
salt,
|
|
n=1 << 14,
|
|
r=8,
|
|
p=5,
|
|
dklen=64,
|
|
maxmem=85_000_000 # Needs ~85MB of memory
|
|
)
|
|
----
|
|
|
|
Code targeting PBKDF2:
|
|
|
|
[source,python,diff-id=266,diff-type=compliant]
|
|
----
|
|
from hashlib import pbkdf2_hmac
|
|
|
|
def hash_password(password, salt):
|
|
return pbkdf2_hmac(
|
|
'sha256',
|
|
password,
|
|
salt,
|
|
600_000
|
|
)
|
|
----
|
|
|
|
|
|
=== How does this work?
|
|
The following sections provide guidance on the usage of these secure
|
|
password-hashing algorithms as provided by hashlib.
|
|
|
|
include::../../common/fix/scrypt-parameters.adoc[]
|
|
|
|
include::../../common/fix/pbkdf2-parameters.adoc[]
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/pre-hashing.adoc[]
|
|
|
|
=== Going the extra mile
|
|
|
|
include::../../common/extra-mile/peppering.adoc[]
|
|
|