Find file
Fetching contributors…
Cannot retrieve contributors at this time
67 lines (52 sloc) 2.16 KB
# coding: utf8
Securely hash and check passwords using PBKDF2.
Use random salts to protect againt rainbow tables, many iterations against
brute-force, and constant-time comparaison againt timing attacks.
Keep parameters to the algorithm together with the hash so that we can
change the parameters and keep older hashes working.
See more details at
Author: Simon Sapin
License: BSD
import hashlib
from os import urandom
from base64 import b64encode, b64decode
from itertools import izip
# From
from pbkdf2 import pbkdf2_bin
# Parameters to PBKDF2. Only affect new passwords.
HASH_FUNCTION = 'sha256' # Must be in hashlib.
# Linear to the hashing time. Adjust to be high but take a reasonable
# amount of time on your server. Measure with:
# python -m timeit -s 'import passwords as p' 'p.make_hash("something")'
def make_hash(password):
"""Generate a random salt and return a new hash for the password."""
if isinstance(password, unicode):
password = password.encode('utf-8')
salt = b64encode(urandom(SALT_LENGTH))
return 'PBKDF2${}${}${}${}'.format(
b64encode(pbkdf2_bin(password, salt, COST_FACTOR, KEY_LENGTH,
getattr(hashlib, HASH_FUNCTION))))
def check_hash(password, hash_):
"""Check a password against an existing hash."""
if isinstance(password, unicode):
password = password.encode('utf-8')
algorithm, hash_function, cost_factor, salt, hash_a = hash_.split('$')
assert algorithm == 'PBKDF2'
hash_a = b64decode(hash_a)
hash_b = pbkdf2_bin(password, salt, int(cost_factor), len(hash_a),
getattr(hashlib, hash_function))
assert len(hash_a) == len(hash_b) # we requested this from pbkdf2_bin()
# Same as "return hash_a == hash_b" but takes a constant time.
# See
diff = 0
for char_a, char_b in izip(hash_a, hash_b):
diff |= ord(char_a) ^ ord(char_b)
return diff == 0