I want make an authentication system for my app along the lines of SUAS, except instead of using SHA256 for hashing passwords I'd like to use bcrypt or scrypt. Unfortunately both py-bcrypt and scrypt for python use native c, which is unsupported by GAE.
Any way around this?
Installation. Note that bcrypt should build very easily on Linux provided you have a C compiler, headers for Python (if you're not using pypy), and headers for the libffi libraries available on your system.
The takeaway is this: bcrypt is a secure algorithm but remember that it caps passwords at 72 bytes. You can either check if the passwords are the proper size, or opt to switch to argon2, where you'll have to set a password size limit.
Scrypt and BCrypt are both extremely processor-intensive (by design). Because of this, I very much doubt any pure-python implementation is going to be fast enough to be secure - that is, be able to hash using a sufficient number of rounds within a reasonable amount of time.
I can personally attest to this, I've tried writing a pure-python BCrypt, and it was way too slow to be useful. The docs for the pure-python bcrypt implementation mentioned in another answer note this exact flaw - to beware of using it for actual security, it's rounds must be set too low. The only time such implementations will be fast enough is under pypy, which is not the situation you're faced with.
What you want to go with is something based on an available hash primitive like SHA-2. That way the heavy calculation bit will still be able to be written in C, even under GAE. I'd recommend something based on PBKDF2 or SHA-512-Crypt (note: this is not just a plain sha512 hash). The security of the algorithms is just as good, but pure-python implementations will be much more efficient, since they can leverage hashlib
to do the heavy lifting.
The Passlib library might be useful in this case, it contains implementations of PBKDF2 and SHA-512-Crypt in pure python. (Disclaimer: I'm the author of that library). Another Python library with PBKDF2 support is Cryptacular.
This guy ported py-bcrypt to pure python so you can use it on GAE: https://github.com/erlichmen/py-bcrypt
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With