The issue I am having with bcrypt is that the module can't be imported into the Pythonista app on iOS, which is where I need to run my script. What else would you recommend similar to bcrypt that can generate a random salt, and has something like the checkpw() function built-in to quickly validate salted passwords?
What hashing algorithms would you recommend I use in Python3 that can generate a random salt, other than bcrypt?
115 Views Asked by marti At
1
There are 1 best solutions below
Related Questions in PYTHON-3.X
- Moving a CakePHP 1.3.2 Application to a New Server
- Different cakephp datasource for local and live
- How to call a model function insider another controller in cakephp
- how to display a message if database table is empty in cakephp
- cakephp 2.x multiple models(included optional) validation
- MongoDB configuration in CakePHP 3.x
- cakephp 2.x how to set empty model to valid(multiple models on same page)
- Get last inserted ID after inserting to associated table
- Cakephp Find all WHERE in two categories
- Alternative for PDO in cakephp
Related Questions in HASH
- Moving a CakePHP 1.3.2 Application to a New Server
- Different cakephp datasource for local and live
- How to call a model function insider another controller in cakephp
- how to display a message if database table is empty in cakephp
- cakephp 2.x multiple models(included optional) validation
- MongoDB configuration in CakePHP 3.x
- cakephp 2.x how to set empty model to valid(multiple models on same page)
- Get last inserted ID after inserting to associated table
- Cakephp Find all WHERE in two categories
- Alternative for PDO in cakephp
Related Questions in PASSWORDS
- Moving a CakePHP 1.3.2 Application to a New Server
- Different cakephp datasource for local and live
- How to call a model function insider another controller in cakephp
- how to display a message if database table is empty in cakephp
- cakephp 2.x multiple models(included optional) validation
- MongoDB configuration in CakePHP 3.x
- cakephp 2.x how to set empty model to valid(multiple models on same page)
- Get last inserted ID after inserting to associated table
- Cakephp Find all WHERE in two categories
- Alternative for PDO in cakephp
Related Questions in PYTHONISTA
- Moving a CakePHP 1.3.2 Application to a New Server
- Different cakephp datasource for local and live
- How to call a model function insider another controller in cakephp
- how to display a message if database table is empty in cakephp
- cakephp 2.x multiple models(included optional) validation
- MongoDB configuration in CakePHP 3.x
- cakephp 2.x how to set empty model to valid(multiple models on same page)
- Get last inserted ID after inserting to associated table
- Cakephp Find all WHERE in two categories
- Alternative for PDO in cakephp
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
If pbkdf2 is natively available, I'd use that before trying to roll your own bcrypt. When its work factors are sufficiently large, it's still a solid choice when bcrypt or scrypt aren't available, and using it directly is safer than trying to recreate something else by hand.
Not knowing more about your use case, a general recommendation: use pbkdf2 with a sufficiently large number of rounds to take about a half-second's worth of the upper end of the processor throughput of your target devices. This keeps the UX within tolerable wait times while still providing reasonable resistance to offline attack.
I'd also recommend randomizing that number of rounds slightly over a range (like a thousand). For example, if you settled on 200,000 as having an acceptable 500ms delay, I'd randomly pick a value between 200,000 to 202,000 (or something like that) - whatever is needed to ensure that most users will have different rounds from each other (assuming that all user passwords might be aggregated into a single location that could be compromised and the hashes stolen). This is because some of the newer "associative" / "correlation" attacks only work well against a large set of hashes when all of the cost factors across that set of hashes are the same.
Long term, also be sure that your code easily accepts a variable floor and ceiling for the number of rounds, so you can choose to increase your number of rounds over time as processors advance. (You could even get fancy and dynamically calculate the range of rounds based on the processor that the password is being created on, so that it's future ready without any additional intervention.)