thequbit
commented
8 years ago @dxa4481 is the library linked here still preferable for python3? Thanks again for doing this audit - sorry it's taken this long to get around to implementing these!
Open dxa4481 opened 9 years ago
thequbit
commented
8 years ago @dxa4481 is the library linked here still preferable for python3? Thanks again for doing this audit - sorry it's taken this long to get around to implementing these!
dxa4481
commented
8 years ago I'm not really sure. There's another method I read about recently. The idea behind pbk is it does a number of rounds of the hashing to just slow an attacker down if am attacker compromised the database and wanted to start launching dictionary attacks against all the hashes.
So this other method is basically implement pbk or something like it client side. The client hashes their PW 9999 times in javascript or something like that, then you pass that to the server, hash it once server side with salt and store that. That way if an attacker wants to try and reproduce that hash with the given salt they need to hash each dictionary entry 10000 times, slowing them down.
So why do it client side instead of server side? Instead of waiting for the server to do X login hashes, they can all happen in parallel via each clients computer instead of the server getting gunked up with X simultaneous logins and X*10000 hashes.
thequbit
commented
8 years ago :+1: will implement.
Sha2 has a relatively low time complexity and is generally not considered industry best practice.
PBKDF2 allows you to set the number of rounds so you can adapt it as technology gets better.
Library https://www.dlitz.net/software/python-pbkdf2/