How to obscure a password

Discussion in 'Python' started by Batista, Facundo, Feb 26, 2004.

  1. I'm doing a small program, in which the user will have the option to enter
    his/her password everytime, or just save it (to a file).

    So, is there a module to obscure the password text in a secure way?

    I can't hash it (with md5 or something), because I not need to compare the
    password the user enters with a previous one.

    I need to restore the password later and use it as if the user just entered
    it.

    Thank you all!

    Facundo Batista
    Gestión de Red

    (54 11) 5130-4643
    Cel: 15 5132 0132
    Batista, Facundo, Feb 26, 2004
    #1
    1. Advertising

  2. Batista, Facundo

    Rene Pijlman Guest

    Batista, Facundo:
    >So, is there a module to obscure the password text in a secure way?


    You can only obscure a password in an obscure way, not in a secure way.

    >I can't hash it (with md5 or something), because I not need to compare the
    >password the user enters with a previous one.
    >
    >I need to restore the password later and use it as if the user just entered
    >it.


    I use rotor for that.
    http://www.python.org/doc/current/lib/module-rotor.html

    --
    René Pijlman
    Rene Pijlman, Feb 26, 2004
    #2
    1. Advertising

  3. Batista, Facundo

    Peter Hansen Guest

    "Batista, Facundo" wrote:
    >
    > I'm doing a small program, in which the user will have the option to enter
    > his/her password everytime, or just save it (to a file).
    >
    > So, is there a module to obscure the password text in a secure way?


    No. Absolutely not.

    > I can't hash it (with md5 or something), because I not need to compare the
    > password the user enters with a previous one.
    >
    > I need to restore the password later and use it as if the user just entered
    > it.


    Your design is probably fundamentally flawed in that case. Are you
    certain it is not possible to store the hashed password and always
    to compare against it?

    The biggest concern I have with systems that allow retrieving the password,
    even as an administrator, is that the users are generally not informed
    that the administrator has full access to their passwords. Since
    many people re-use their favourite passwords all over the place, they
    are prone to using the same password that gets them into their online
    banking system as they use for the little web-based community site (or
    whatever it is) that you're setting up.

    No matter how secure you make the front end (https, encrypting passwords
    in Javascript, etc) if you store the unencrypted password anywhere, you
    are doing your users a gross disservice. Don't do it! IMHO.

    -Peter
    Peter Hansen, Feb 26, 2004
    #3
  4. Batista, Facundo

    John Burton Guest

    Batista, Facundo wrote:
    > I'm doing a small program, in which the user will have the option to enter
    > his/her password everytime, or just save it (to a file).
    >
    > So, is there a module to obscure the password text in a secure way?
    >
    > I can't hash it (with md5 or something), because I not need to compare the
    > password the user enters with a previous one.
    >
    > I need to restore the password later and use it as if the user just entered
    > it.
    >
    > Thank you all!


    Probably your best method is to install something like this -
    http://www.amk.ca/python/code/crypto.html

    and use AES or DES3 or similar to encrypt the passwords.
    Of course you then have to keep the encryption keyt secure but that may
    or may not be a problem for you.
    John Burton, Feb 26, 2004
    #4
  5. Batista, Facundo

    Rene Pijlman Guest

    John Burton:
    >Batista, Facundo wrote:
    >> I'm doing a small program, in which the user will have the option
    >> to enter his/her password everytime, or just save it (to a file).


    >Probably your best method is to [...] use AES or DES3 or similar
    >to encrypt the passwords. Of course you then have to keep the
    >encryption keyt secure


    No problem. Just ask the user to enter it everytime :)

    --
    René Pijlman
    Rene Pijlman, Feb 26, 2004
    #5
  6. Batista, Facundo

    Lucas Raab Guest

    The only problem with using rotor, is that, given the time, someone could
    decrypt the password file by using the encrypted form and guessing the key.

    "Rene Pijlman" <> wrote in
    message news:...
    > Batista, Facundo:
    > >So, is there a module to obscure the password text in a secure way?

    >
    > You can only obscure a password in an obscure way, not in a secure way.
    >
    > >I can't hash it (with md5 or something), because I not need to compare

    the
    > >password the user enters with a previous one.
    > >
    > >I need to restore the password later and use it as if the user just

    entered
    > >it.

    >
    > I use rotor for that.
    > http://www.python.org/doc/current/lib/module-rotor.html
    >
    > --
    > René Pijlman
    Lucas Raab, Feb 26, 2004
    #6
  7. "Lucas Raab" <> writes:

    > The only problem with using rotor, is that, given the time, someone could
    > decrypt the password file by using the encrypted form and guessing
    > the key.


    Or they could just steal the key. As he said, you can only obscure a
    password in an obscure way, not a secure way.

    --
    Christopher A. Craig <>
    If you threw a glass of cold water on a liberal in the middle of a sound
    sleep, he'd jerk awake denouncing the religious right -- Ann Coulter
    Christopher A. Craig, Feb 27, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Batista, Facundo

    RE: How to obscure a password

    Batista, Facundo, Feb 26, 2004, in forum: Python
    Replies:
    2
    Views:
    282
    Peter Hansen
    Feb 26, 2004
  2. Batista, Facundo

    RE: How to obscure a password

    Batista, Facundo, Feb 26, 2004, in forum: Python
    Replies:
    2
    Views:
    246
    Rene Pijlman
    Feb 26, 2004
  3. Frank Millman

    Obscure bug in pyPgSQL

    Frank Millman, Aug 6, 2004, in forum: Python
    Replies:
    2
    Views:
    350
    =?ISO-8859-1?Q?Gerhard_H=E4ring?=
    Aug 6, 2004
  4. AAaron123
    Replies:
    2
    Views:
    2,079
    AAaron123
    Jan 16, 2009
  5. AAaron123
    Replies:
    1
    Views:
    1,305
    Oriane
    Jan 16, 2009
Loading...

Share This Page