在GAE / python中存储密码的最佳实践 [英] Best practices for storing passwords in GAE/python
问题描述
我需要在我的GAE / python2.7应用程序中实现密码存储。我已经实现了用于授权的Cookie,我已经有一个帐户/用户模型,并且我已经通过第三方进行了身份验证。现在,我需要通过密码(客户请求)添加身份验证。
我想要安全地存储密码。我已经确定了几个选项(下面),这些选项似乎很明智,但是我之前从未实现过密码存储,所以我不知道我不知道什么。我宁愿避免一个问题,而不是等待问题。
我的问题是:这是GAE的最佳做法吗?如果没有,请问是什么?
请注意,我只是在存储之前寻找散列密码的方法,并进行比较。我不需要一个完整的用户模块。
我已经查看了以前的问题这是有帮助的,但不直接解决我的问题。
选项: 使用 Django 。就像
import django.contrib.auth.hashers as foo
to_store_in_db = foo.make_password(conforming_password)
#后来
通行证= foo.check_password(entered_password,password_from_db)
(我们目前不在应用程序中使用Django,所以我们可以使用任何我们喜欢的,但我建议1.4,因为它是最近可用的GAE,不是'最新'的移动目标)
使用 webapp2_extras.security - 与上面类似,但使用
generate_password_hash()#Seems like it仅支持md5 / sha1
check_password_hash()
感谢
在功能只是为了: https://docs.python.org/2/library/hashlib.html#key-derivation-function <一>。
>>> import hashlib,binascii
>>> dk = hashlib.pbkdf2_hmac('sha256',b'password',b'salt',100000)
>>> binascii.hexlify(dk)
'b $ 0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5'
其中盐应该随机存储在数据库中的密码旁边。这使用
sha256 这似乎足够用于此目的。 获得好的(安全随机的)sald可能是一个问题,但在更新版本的GAE中,您可以指定pycrypto依赖项并使用:
from Crypto.Random import get_random_bytes
I need to implement password storage in my GAE/python2.7 app. I've already implemented cookies for authorization, I already have a Account/user model, and I already have authentication via 3rd parties. Now I need to add authentication via password (a customer request).
I want the passwords to be stored securely. I've identified a couple of options (below), that seem sensible, but I've never implemented password storage before, so I dont know what I dont know. I'd rather avoid a problem than wait for a problem.
My question is: is this best practice for GAE? If not, what is?
Note that I'm only looking for a way to hash passwords prior to storage, and compare. I don't need a full-stack users module.
I've already reviewed a previous question which is helpful, but doesnt directly solve my problem.
The options:
Use Django. Something like
import django.contrib.auth.hashers as foo to_store_in_db = foo.make_password(conforming_password) # later passes = foo.check_password(entered_password, password_from_db)(we dont currently use Django in our app, so we can use whichever we prefer, but I'm proposing 1.4 because it the most recent available in GAE that isnt the moving target of 'latest' )
Use webapp2_extras.security - similar to the above, but using
generate_password_hash() #Seems like it only supports md5/sha1 check_password_hash()
thanks
tom
There is a built-in function just for that: https://docs.python.org/2/library/hashlib.html#key-derivation-function.
>>> import hashlib, binascii
>>> dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000)
>>> binascii.hexlify(dk)
b'0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5'
Where salt should be random string stored in databae alongside password. This uses sha256 which seems to be good enough for this purpose.
Getting good (securely random) sald might be a problem, but on newer versions of GAE you can specify pycrypto dependency, and use:
from Crypto.Random import get_random_bytes
这篇关于在GAE / python中存储密码的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
