•  14-04-2021
  •  | 
  •  

Frage

I was wondering if this would be a secure method of authentication:

theInput = raw_input("Enter password: ")
theHashed = hashlib.sha512(theInput).hexdigest()
if theHashed == "35211b890b19afebfabc3451f04d150f1423bcb54ff7d62095677d7af7560fcvb56c112e879288836cb506853516c5dbd1d779cfaedf4a2f6f6a303600c0c589":
    print "Correct!"

If not, what could I do to make it more secure?

War es hilfreich?

Lösung

Maybe, as long as somebody can't read or modify your code.

In the case where this is a program run locally on one computer, and the file is installed in such a way that normal users can't change it, and you know there is no keylogger installed, then maybe it's okay.

Even if a user can read this file, they can make a copy and modify their copy to remove the authentication step.

Program security is a complex and deep topic that goes beyond mere choice of hashing algorithm.

Andere Tipps

Greg Hewgill's first point is worth emphasizing. I've just discovered -- somewhat to my surprise -- that on my notebook, the system hashlib.py is open to the world. Accordingly, beating the above authentication is trivial:

localhost-2:coding $ cat hashcrack.py 
class always_equal(object):
    def __eq__(self, other):
        return True

class sha512(object):
    def __init__(self, password):
        pass
    def hexdigest(self):
        return always_equal()
localhost-2:coding $ cat hashcrack.py >> /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py
localhost-2:coding $ cat notsosecure.py 
import hashlib
theInput = raw_input("Enter password: ")
theHashed = hashlib.sha512(theInput).hexdigest()
if theHashed == "35211b890b19afebfabc3451f04d150f1423bcb54ff7d62095677d7af7560fcvb56c112e879288836cb506853516c5dbd1d779cfaedf4a2f6f6a303600c0c589":
    print "Correct!"
localhost-2:coding $ python notsosecure.py 
Enter password: pwned
Correct!

Come to think of it, I didn't even need to make a new sha512 class, I could simply have monkeypatched hexdigest in the old one.

Anyway, +1 to the point that it's not the number of bits in your hash which is the dominant security hazard..

Use import getpass and then theInput = getpass.getpass("Enter password: ") instead of raw_input().

For password authentication in general, you should be thinking more about KDFs like PBKDF2 and scrypt. You should also check out the new cryptography library:

https://cryptography.io/en/latest/

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top