Comments on: Secure Password Scheme for Turbogears2 Application with repoze.who and bcrypt

By: Aigars Mahinovs

Aigars Mahinovs — Sat, 05 Dec 2009 19:49:22 +0000

Heh, I implemented a random-salted SHA256 password extension to the TG2.0 default scheme in like 4 lines added to the default code and with 2 more lines allowed usage of legacy MD5 random-salted passwords that most of our users still have in the database.

I think the new default code in TG2.1 should accept any of the old hash types that TG ever supported (and some other legacy types, like AD-hash or Linux crypt()) and have an option (turned-off by default, but prominent) that would replace the hash with the most secure type on next login of a user.

By: Heikki Toivonen

Heikki Toivonen — Wed, 02 Dec 2009 17:14:16 +0000

Thanks John and Daniel. I’ll definitely be checking out bcryptor and cryptacular.

By: Daniel Holth

Daniel Holth — Wed, 02 Dec 2009 15:45:14 +0000

I wrote Cryptacular (http://pypi.python.org/pypi/cryptacular) after reading that rant. It uses ctypes to talk to a public-domain bcrypt implementation instead of the BSD-licensed implementation.

It’s designed for people who may need to deal with many different hashing schemes with optional hash migration when a user authenticates against a legacy hash. You can start using good hashes in your application without having to delete all your old password hashes; they will simply be replaced as users log in.

By: John Secal

John Secal — Wed, 02 Dec 2009 07:39:48 +0000

bcryptor [1] is a wrapper for bcrypt that provides a high level object oriented wrapper around bcrypt as well as low level bindings to the C library, so it’s very fast.

And there is not problem to install from PyPi.

$ sudo easy_install bcryptor

[1] http://pypi.python.org/pypi/bcryptor/