How to correctly store the users credentials

Asked Mar 06 '19 at 13:10

Active Mar 06 '19 at 16:41

Viewed 153 times

I am writing an application that requires a username/password for the first time.

I was wondering if the concept code below is a valid and secure way to store user passwords in the database. I hope this question is not to vague.

#!/usr/bin/env python

from Crypto.Hash import SHA512, HMAC
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Random import get_random_bytes

def main():
    password = request.form["password"]

    # only used the first time a password is generated.
    #salt = get_random_bytes(64)

    iteration = from_database() # at least 100000
    stored_salt = from_database()

    prf = lambda password, stored_salt: HMAC.new(password, stored_salt, SHA512).digest()
    key = PBKDF2(password, stored_salt, dkLen=64, count=iteration, prf=prf)

    # contents of key:
    # 5efcc2bf5907e8ef20051f270515191e6ff3df018dbf34ced12039297d21492feb3c3a562f459a4d345dbf705da1f8d0ef892ef9093f7c1911f4f478e2433173

if __name__ == "__main__":
    main()

asked Mar 06 '19 at 13:10

kyr0

3

See also How to securely hash passwords? – Sjoerd Mar 06 '19 at 13:33
Thanks @sjoerd, I have read that article before posting this question. I was more aiming at a quality check of my specific implementation. – kyr0 Mar 06 '19 at 13:38
2

Implement the password validation part and add it into your post. That's where most of the bugs come from. – Polynomial Mar 06 '19 at 14:22
Unfortunately, we are not a code review site. – schroeder Mar 06 '19 at 16:56

How to correctly store the users credentials

0 Answers0