set_trace # timfreund's blog on dev, ops, and other work stuff

Outsourced Password Hashing

Tags: devops programming python

The PassLib New Application Quickstart Guide reveals more information about password hashing than I knew at all before reading the page. Hashing and cryptography are two different things, but, as with crypto code, it’s best to leave password hashing to someone who knows the subject front and back.

I spent some time reading through the hashing routine in an old application to build an administrative password reset tool. We salt, and we use a decent hashing algorithm, but the code isn’t nearly as sophisticated as what we’d get with the default context provided by PassLib.

Here’s a preferential order of password storage algorithms:

-2. Passwords stored in plain text
-1. Passwords reversibly encrypted
0. Passwords naively hashed with a weak algorithm
1. Passwords salted and hashed
2. Passwords salted and hashed with a carefully chosen algorithm and procedure

Users will reuse passwords in your application. Storing weakly hashed or encrypted passwords opens your users’ email, social media, shopping, and banking accounts to fraud and abuse should your application ever be compromised. Users hate that. Don’t let your users hate you over something so easy to do well with the help of open source libraries.