8

I'm wondering what is the state-of-the-art of transmitting passwords from a web form and storing them in the data store.

A lot of recent posts point to bcrypt, however, there are no pure Python implementations, which is a requirement for App Engine.

Any suggestions?

znq
  • 44,613
  • 41
  • 116
  • 144

3 Answers3

9

Best practice? Use the Users API with either Google Accounts or OpenID, so you're not storing or transmitting passwords in the first place.

If you must do it yourself, transmit the login data over SSL, and store the password hashed, salted, and strengthened, using a scheme such as PBKDF2.

Nick Johnson
  • 100,655
  • 16
  • 128
  • 198
  • 1
    Absolutely. The state-of-the-art is to let Google, Facebook, Twitter, or LinkedIn worry about the security of their password system, and you just store a temporary token. I'm sure Gawker and Sony (PS3) had many smart people on staff, but it didn't stop them from doing one dumb thing that got exploited. – Calvin Feb 15 '11 at 00:00
  • 3
    Yes, yes, yes. @znq, you should really think long and hard about if it is really worth reinventing a wheel that is already so beautifully round. – Adam Crossland Feb 15 '11 at 14:01
  • 2
    For many apps, it's unreasonable to require users to have a google account, and OpenID is still marked "experimental" in the GAE docs. – I. J. Kennedy May 20 '13 at 21:39
8

You can use PyCrypto which has been ported to google-app-engine.

You should never store the actual passwords, of course. Storing a hash should be sufficient. When the user enters his password, you hash it again and compare it to the stored value.

You should of course only receive passwords over https, which is supported in google-app-engine (albeit only through you appspot domain)

Klaus Byskov Pedersen
  • 117,245
  • 29
  • 183
  • 222
  • Saying that "Storing a hash should be sufficient." isn't a little bit of bad advice? I think that a salt should be added to the mix at least once, check this answer (not the accepted, but the most voted one): http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190 – hectorg87 Jul 17 '12 at 10:37
0

BCrypt has been ported to Python some time ago. I've been using it gracefully since then.

Jose L Ugia
  • 5,960
  • 3
  • 23
  • 26