1

I am writing an application that requires a username/password for the first time.

I was wondering if the concept code below is a valid and secure way to store user passwords in the database. I hope this question is not to vague.

#!/usr/bin/env python

from Crypto.Hash import SHA512, HMAC
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Random import get_random_bytes

def main():
    password = request.form["password"]

    # only used the first time a password is generated.
    #salt = get_random_bytes(64)

    iteration = from_database() # at least 100000
    stored_salt = from_database()

    prf = lambda password, stored_salt: HMAC.new(password, stored_salt, SHA512).digest()
    key = PBKDF2(password, stored_salt, dkLen=64, count=iteration, prf=prf)

    # contents of key:
    # 5efcc2bf5907e8ef20051f270515191e6ff3df018dbf34ced12039297d21492feb3c3a562f459a4d345dbf705da1f8d0ef892ef9093f7c1911f4f478e2433173

if __name__ == "__main__":
    main()
kyr0
  • 11
  • 3
  • 3
    See also [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) – Sjoerd Mar 06 '19 at 13:33
  • Thanks @sjoerd, I have read that article before posting this question. I was more aiming at a quality check of my specific implementation. – kyr0 Mar 06 '19 at 13:38
  • 2
    Implement the password validation part and add it into your post. That's where most of the bugs come from. – Polynomial Mar 06 '19 at 14:22
  • Unfortunately, we are not a code review site. – schroeder Mar 06 '19 at 16:56

0 Answers0