Myles Braithwaite

How To Safely Store A Password

Monday, 13 December 2010 at 04:34 PM

(via Myles Braithwaite)

After Gawker passwords were compromised it might be a good idea to look at how you are storing your passwords. Considering:

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

You will have to use a third party library to use bcrypt in Python called Bcryptor. It has a simple enough API:

>>> import bcryptor
>>> 
>>> hasher = bcryptor.Bcrypt()
>>> hash = haser.create('password')
>>> 
>>> haser.valid('password', hash)
True
>>> haser.valid('Password', hash)
False