How to use scrypt to generate hash for password and salt in Python

后端 未结 2 1888
栀梦
栀梦 2021-02-14 21:34

I would like to use scrypt to create a hash for my users\' passwords and salts. I have found two references, but there are things I don\'t understand about them.

They u

2条回答
  •  滥情空心
    2021-02-14 21:44

    Both of those references got it completely wrong. Don't muck with encrypt and decrypt: just use hash

    The KDF is not directly exposed, but hash is close enough. (In fact, it appears to me to be even better, because it mixes the filling of a PBKDF2 sandwich.)

    This example code works with both python2.7 and python3.2. It uses PyCrypto, passlib, and py-scrypt, but only needs py-scrypt.

    You will want to use a contstant-time comparison function like passlib.utils.consteq to mitigate timing attacks.

    You will also want to choose the parameters carefully. The defaults logN=14,r=8,p=1 mean 1 "round" using 16 MiB of memory. On a server, you probably want something more like 10,8,8 -- less RAM, more CPU. You should time it on your hardware under your expected load.

提交回复
热议问题