Python – Password submission in Python

Password submission in Python… here is a solution to the problem.

Password submission in Python

I’m developing a website using Google App Engine and I’m wondering what is the right way to handle submissions.

I’m thinking of doing something like hashing the password with some salt on the client side and then hashing it again with some other salt on the server side.

I wonder if this is at least some sort of decent security and if it already has a Python library that does that or something better.

Solution

The standard practice is to use SSL encryption (such as https) for the connection, and then hash it with salt on the server side. When the user logs in later, you still have to verify the password, and sending a hash of the password from the browser to the server is just as insecure as sending the password itself; An attacker who intercepts either of these can still log in as that user.

There is a Python package called passlib that handles various forms of password hashing and salting for you:

from passlib.hash import sha256_crypt
hashed = sha256_crypt.encrypt(password)

It is generally a good idea to include the algorithm of choice in the stored password hash; RFC 2307 ciphers (used in LDAP) use the {SCHEME} prefix, and other hashing schemes use unix $digit$ prefix, where numbers are numbers; The sha256 scheme in the code snippet above is prefixed with $5$.

This allows you to upgrade your password scheme later while still supporting the old scheme by choosing the correct hashing algorithm to validate the password later.

Most passlib hashing schemes already return hashes with standard prefixes, and there are records in the detailed documentation page for each scheme. You can use .identify(). function to identify the hash algorithm used later when you need to validate the password hash value against the password entered.

Related Problems and Solutions