Python sha512安全性
[英]Python sha512 security
问题描述
I was wondering if this would be a secure method of authentication: 
我想知道这是否是一种安全的身份验证方法:
theInput = raw_input("Enter password: ")
theHashed = hashlib.sha512(theInput).hexdigest()
if theHashed == "35211b890b19afebfabc3451f04d150f1423bcb54ff7d62095677d7af7560fcvb56c112e879288836cb506853516c5dbd1d779cfaedf4a2f6f6a303600c0c589":
print "Correct!"
If not, what could I do to make it more secure? 如果没有,我该怎么做才能让它更安全?
4 个解决方案
解决方案1
4 已采纳 2012-01-06 03:53:21
Maybe , as long as somebody can't read or modify your code. 也许 ,只要有人无法阅读或修改您的代码。
In the case where this is a program run locally on one computer, and the file is installed in such a way that normal users can't change it, and you know there is no keylogger installed, then maybe it's okay. 如果这是一台在一台计算机上本地运行的程序,并且该文件的安装方式使普通用户无法更改它,并且您知道没有安装键盘记录器,那么也许没关系。
Even if a user can read this file, they can make a copy and modify their copy to remove the authentication step. 即使用户可以读取此文件,他们也可以制作副本并修改其副本以删除身份验证步骤。
Program security is a complex and deep topic that goes beyond mere choice of hashing algorithm. 程序安全性是一个复杂而深刻的主题,不仅仅是选择散列算法。
解决方案2
2 2012-01-06 04:58:37
Greg Hewgill's first point is worth emphasizing. Greg Hewgill的第一点值得强调。 I've just discovered -- somewhat to my surprise -- that on my notebook, the system hashlib.py is open to the world. 我刚刚发现 - 有点令我惊讶的是 - 在我的笔记本上,系统hashlib.py向全世界开放。 Accordingly, beating the above authentication is trivial: 因此,击败上述身份验证是微不足道的:
localhost-2:coding $ cat hashcrack.py
class always_equal(object):
def __eq__(self, other):
return True
class sha512(object):
def __init__(self, password):
pass
def hexdigest(self):
return always_equal()
localhost-2:coding $ cat hashcrack.py >> /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py
localhost-2:coding $ cat notsosecure.py
import hashlib
theInput = raw_input("Enter password: ")
theHashed = hashlib.sha512(theInput).hexdigest()
if theHashed == "35211b890b19afebfabc3451f04d150f1423bcb54ff7d62095677d7af7560fcvb56c112e879288836cb506853516c5dbd1d779cfaedf4a2f6f6a303600c0c589":
print "Correct!"
localhost-2:coding $ python notsosecure.py
Enter password: pwned
Correct!
Come to think of it, I didn't even need to make a new sha512 class, I could simply have monkeypatched hexdigest in the old one. 想想看,我甚至不需要创建一个新的sha512类,我可以简单地在旧版本中使用monkeypatched hexdigest。
Anyway, +1 to the point that it's not the number of bits in your hash which is the dominant security hazard.. 无论如何,+1指的是它不是哈希中主要安全隐患的位数。
解决方案3
2 2012-01-06 05:43:49
使用import getpass然后使用theInput = getpass.getpass("Enter password: ")而不是raw_input()。
解决方案4
1 2014-01-09 20:33:28
For password authentication in general, you should be thinking more about KDFs like PBKDF2 and scrypt. 对于一般的密码验证,您应该更多地考虑像PBKDF2和scrypt这样的KDF。 You should also check out the new cryptography library: 您还应该查看新的加密库:
https://cryptography.io/en/latest/ https://cryptography.io/en/latest/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.