bcrypt in python
Solution 1
How about comparing the two? Here is code to hash a password of 8000 random bits and corresponding times:
Hashlib:
#!/usr/bin/env python
import hashlib
import random
password = str(random.getrandbits(8000))
print hashlib.sha512(password).hexdigest()
Hashlib including salt:
#!/usr/bin/env python
import hashlib
import random
password = str(random.getrandbits(8000))
salt = str(random.getrandbits(256))
print hashlib.sha512(password + salt).hexdigest()
bcrypt:
#!/usr/bin/env python
import bcrypt
import random
password = str(random.getrandbits(8000))
print bcrypt.hashpw(password,bcrypt.gensalt())
Timing bcrypt:
$ time ./bcrypt_test.py
$2a$12$Om3a3zKsCNAM/SLB3hq5w.HYukFwn4CJ73rjXYNUPgqckUx2uLEmG
real 0m0.401s
user 0m0.313s
sys 0m0.013s
Timing hashlib:
$ time ./hashlib_test.py
9e37eb4f164bbb1808833297d0244327e4faac109cd92729228f6e36d75d23044ac13a7a1907515cd6db44474b244678779e3ae4e97d8355c2069332aae52d61
real 0m0.032s
user 0m0.021s
sys 0m0.010s
$
Solution 2
Try passlib. It has a C implementation of bcrypt.
Maik Klein
Updated on June 19, 2022Comments
-
Maik Klein almost 2 years
At the moment I'm trying to build a log in system with a very high security.
So I want to use bcrypt and I've also found a 3rd party library, py-bcrypt.
But the author said it is a pure python implementation.
Now I read somewhere that it is not recommended to use bcrypt in python only because it is too slow and this results in a security leak. bcrypt should be implemented in C.
Can anyone confirm this? Now what should I do?
Should I use:
- bcrypt (python)
- SHA512 (from hashlib)
- something different
I'm using Google App Engine
EDIT: http://packages.python.org/passlib/lib/passlib.hash.bcrypt.html#bcrypt-backends
It should be noted that the pure-python implementation (#4) is too slow to be useable, given the number of rounds currently required for security. Because of this, it is disabled by default, unless the environment variable PASSLIB_BUILTIN_BCRYPT="enabled" is set.