github/plexpy
1
0
Fork 0
mirror of https://github.com/Tautulli/Tautulli.git synced 2025-07-06 05:01:14 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
plexpy/lib/hashing_passwords.py

61 lines
2 KiB
Python
Raw Blame History

# coding: utf8
"""
Securely hash and check passwords using PBKDF2.
Use random salts to protect againt rainbow tables, many iterations against
brute-force, and constant-time comparaison againt timing attacks.
Keep parameters to the algorithm together with the hash so that we can
change the parameters and keep older hashes working.
See more details at http://exyr.org/2011/hashing-passwords/
Author: Simon Sapin
License: BSD
"""
import hashlib
from os import urandom
from base64 import b64encode, b64decode
from hashlib import pbkdf2_hmac
# Parameters to PBKDF2. Only affect new passwords.
SALT_LENGTH = 16
KEY_LENGTH = 24
HASH_FUNCTION = 'sha256' # Must be in hashlib.
# Linear to the hashing time. Adjust to be high but take a reasonable
# amount of time on your server. Measure with:
# python -m timeit -s 'import passwords as p' 'p.make_hash("something")'
COST_FACTOR = 10000
def make_hash(password):
"""Generate a random salt and return a new hash for the password."""
if isinstance(password, str):
password = password.encode('utf-8')
salt = b64encode(urandom(SALT_LENGTH))
return 'PBKDF2${}${}${}${}'.format(
HASH_FUNCTION,
COST_FACTOR,
salt.decode('utf-8'),
b64encode(pbkdf2_hmac(HASH_FUNCTION, password, salt, COST_FACTOR, KEY_LENGTH)).decode('utf-8'))
def check_hash(password, hash_):
"""Check a password against an existing hash."""
if isinstance(password, str):
password = password.encode('utf-8')
algorithm, hash_function, cost_factor, salt, hash_a = hash_.split('$')
assert algorithm == 'PBKDF2'
hash_a = b64decode(hash_a.encode('utf-8'))
hash_b = pbkdf2_hmac(hash_function, password, salt.encode('utf-8'), int(cost_factor), len(hash_a))
assert len(hash_a) == len(hash_b) # we requested this from pbkdf2_bin()
# Same as "return hash_a == hash_b" but takes a constant time.
# See http://carlos.bueno.org/2011/10/timing.html
diff = 0
for char_a, char_b in zip(hash_a, hash_b):
diff |= char_a ^ char_b
return diff == 0
Reference in a new issue View git blame Copy permalink