I need to implement password storage in my GAE/python2.7 app. I've already implemented cookies for authorization, I already have a Account/user model, and I already have authentication via 3rd parties. Now I need to add authentication via password (a customer request).
I want the passwords to be stored securely. I've identified a couple of options (below), that seem sensible, but I've never implemented password storage before, so I dont know what I dont know. I'd rather avoid a problem than wait for a problem.
My question is: is this best practice for GAE? If not, what is?
Note that I'm only looking for a way to hash passwords prior to storage, and compare. I don't need a full-stack users module.
I've already reviewed a previous question which is helpful, but doesnt directly solve my problem.
The options:
Use Django. Something like
import django.contrib.auth.hashers as foo to_store_in_db = foo.make_password(conforming_password) # later passes = foo.check_password(entered_password, password_from_db)(we dont currently use Django in our app, so we can use whichever we prefer, but I'm proposing 1.4 because it the most recent available in GAE that isnt the moving target of 'latest' )
Use webapp2_extras.security - similar to the above, but using
generate_password_hash() #Seems like it only supports md5/sha1 check_password_hash()
thanks
tom
There is a built-in function just for that: https://docs.python.org/2/library/hashlib.html#key-derivation-function.
>>> import hashlib, binascii
>>> dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000)
>>> binascii.hexlify(dk)
b'0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5'
Where salt should be random string stored in databae alongside password. This uses sha256 which seems to be good enough for this purpose.
Getting good (securely random) sald might be a problem, but on newer versions of GAE you can specify pycrypto dependency, and use:
from Crypto.Random import get_random_bytes
来源:https://stackoverflow.com/questions/19147789/best-practices-for-storing-passwords-in-gae-python