Welcome!
This is the community forum for my apps Pythonista and Editorial.
For individual support questions, you can also send an email. If you have a very short question or just want to say hello — I'm @olemoritz on Twitter.
bcrypt - is there a bcrypt lib that can be used with Pythonista?
-
It appears to me that both bcrypt and py-bcrypt can not be used with Pythonista. If that statement is correct, does anyone know of a credible bcrypt lib that will work with Pythonista?
-
The only pure-Python bcrypt implementation I've found is this:
https://github.com/fwenzel/python-bcrypt
The project description isn't very confidence-inducing though...
A pure Python implementation of bcrypt. If you're in your right mind, you don't use this (yet)!
-
@omz , 0k thanks for the info. I will not try it. I am sure as people see the development happening more and more on mobile devices more and more libs will have pure Python equivalents.
I understand , this particular lib is a little different for a few reasons. -
I was looking for a scrypt implementation which worked and had no luck. On a PC, scrypt under pure Python (no C wrappers) runs on the order of minutes, so on iOS it'd be infeasible altogether. ^
I know bcrypt and scrypt aren't the same, but the python library situation for both are analogous.
^: related query: how can JavaScript process scrypt so quickly (seconds) on webpages run by Safari or Chrome on iOS? I can't see how JavaScript would be fundamentally faster unless it was simply a matter of more speed-tweaks being implemented due to greater usage by JavaScript
-
@SimCityWok , thanks for your info. But really, I have zero in depth knowledge of any of these subjects. I just happened to read an interesting article on flipboard about bcrypt and password hashing. Which lead to other articles about re-hashing passwords at login etc.
But it was my lame idea on how beef up using keychain and storing config information locally for different accounts.I also copied code from http://stackoverflow.com/questions/16761458/how-to-aes-encrypt-decrypt-files-using-python-pycrypto-in-an-openssl-compatible to use for encrypting files. But I can't say I understand it or know if it's correct. I would just like a single standard class that can properly deal with my Dropbox secret passwords, email address, Github passwords etc. that's why I was asking about it
-
@SimCityWok , oh one thing. Why don't you give scrypt ago on iOS. You might be supised. I have a ipad pro, it's super fast. Maybe not fast enough, but I would love to hear if you try a comparison and the result you get
-
oh one thing. Why don't you give scrypt ago on iOS. You might be supised. I have a ipad pro, it's super fast. Maybe not fast enough, but I would love to hear if you try a comparison and the result you get
I was curious about this too, so I installed pyscrypt in Pythonista (iPad Air 2 and iPhone 6s) and on my MacBookPro (early 2015, i5, 2.9 GHz). I ran the following benchmark code:
import timeit result = timeit.timeit("pyscrypt.hash(password='foobar', salt='seasalt', N=1024, r=1, p=1, dkLen=32)", setup="import pyscrypt", number=100) print(result)
(I pretty much just took the first piece of sample code in the pyscrypt readme)
The results:
- MacBook Pro: ~14.0 sec.
- iPhone 6s: ~21.5 sec.
- iPad Air 2: ~30.5 sec.
Not bad for the iOS devices, though I actually expected the iPad to fare a bit better against the MacBook. The iPad Pro should be even faster than the iPhone 6s, so I suspect that it might get very close to the MacBook (I wouldn't even be very surprised if it actually performs better).
-
@omz , I installed. I ran the exact same script as you.
First time ever run , 17.10122nd time , 17.1633
3rd time, 17.1605Ipad pro, 128gb iOS 9.2.1
-
@SimCityWok , would be nice to see what your PC reports with the same script and also your pc spec
-
@omz , ok I also tried it in Pythonista 3. Yes, the numbers are not great, but I am sure that's because of debugging symbols or whatever they are called now.
But the good news is stash worked flawlessly and so did Pythonista
import timeit result = timeit.timeit("pyscrypt.hash(password= b'foobar', salt= b'seasalt', N=1024, r=1, p=1, dkLen=32)", setup="import pyscrypt", number=100) print(result)
-
@Phuket2 Unfortunately, Python 3 is usually a bit slower than Python 2. The difference in this case seems to be quite extreme though – maybe it's something about the algorithm, or the pyscrypt code is perhaps better optimized for Python 2 – I don't know... But the results are also much worse on my MacBook with Python 3 – it takes almost twice as long, and that's running the official Python 3.5.1, so I don't really think this is because of debug symbols in Pythonista or anything like that.
-
@omz , ok. It was close to 3 times slower for me. In their python3 example they have dkLen=256 instead of 32. I tried that also. Close to the same
-
@omz. Look I don't know how much is really being done in your test case compared to what @SimCityWok is doing where he says it takes mins on his pic. But your test is executing 100 times. 1 unit is still well under a second. I am not sure how much extra work he is doing. But something does not sound right.
-
Okay, so I am not new to cryptography, but why would a hashing algorythm be insecure? Isn't it just an algorythm that changes text into a text that is always the same thing when hashed?
I don't understand how a random piece of text can be insecure of there is no way to decrypt it other than just running through all possible pieces of text, hashing them, and seeing if they match. It just doesn't make sense to me.Maybe somebody could enlighten me?
-
@AtomBombed , for me it was about being it reliable and robust. Example, if it's not widely used , could have a weird bug that under certain conditions corrupts the hash or maybe it's not strong enough etc.
but because I don't know how it works make these questions important for me. even studying the code would not help me. I am sure I would struggle to get my head around it. 😱 -
@AtomBombed I'm not an expert, but from my understanding, it's mostly about how fast the hashing algorithm is – the slower, the better. If you get your hands on a database of usernames and hashed passwords, a weak (i.e. fast) hash (like MD5) makes it a lot easier to translate a large number of these hashes back to the original passwords, simply by trying all words in a very long list. You can compute millions of MD5 hashes in seconds. But if it takes a modern computer minutes to check just a couple hundred words or so, a brute-force attack is much less feasible.
-
@omz ah, that makes much more sense now. Thanks!
-
@omz said:
@AtomBombed I'm not an expert, but from my understanding, it's mostly about how fast the hashing algorithm is – the slower, the better. If you get your hands on a database of usernames and hashed passwords, a weak (i.e. fast) hash (like MD5) makes it a lot easier to translate a large number of these hashes back to the original passwords, simply by trying all words in a very long list. You can compute millions of MD5 hashes in seconds. But if it takes a modern computer minutes to check just a couple hundred words or so, a brute-force attack is much less feasible.
@omz said:
@AtomBombed I'm not an expert, but from my understanding, it's mostly about how fast the hashing algorithm is – the slower, the better.
This is exactly why scrypt is so slow. It's designed to be RAM intensive to slow ASICs. The context which I'm familiar using scrypt is in crypto-currency, namely Litecoin, and for Bitcoin's password protected private keys (aka BIP39)
-
@AtomBombed said:
Okay, so I am not new to cryptography, but why would a hashing algorythm be insecure? Isn't it just an algorythm that changes text into a text that is always the same thing when hashed?
I don't understand how a random piece of text can be insecure of there is no way to decrypt it other than just running through all possible pieces of text, hashing them, and seeing if they match. It just doesn't make sense to me.Maybe somebody could enlighten me?
basically, there can be shortcuts, like the NSA's backdoor in the NIST curve
AFAIK, bcrypt is old-school and has stood the test if time. Scrypt, not so much.
-
@SimCityWok oh. Okay.