Web lists-archives.com

Re: Bcrypt hash program on Debian 8 without python-pip ?




Hi,

on the second try i found out that the way to avoid the need for pip
is package "python-bcrypt". I asked the wrong question to apt-file
on the first try.

Thanks to python's help("bcrypt") i can also avoid passlib:

  $ python
  >>> import bcrypt
  >>> bcrypt.gensalt(16)
  '$2b$16$joRzQDFBqWzio.8tjWzJaO'
  >>> bcrypt.hashpw("ElmerFudpecker",'$2b$16$joRzQDFBqWzio.8tjWzJaO')
  '$2b$16$joRzQDFBqWzio.8tjWzJaOdnF5Wha3xW/WDIJQEsI59mvvBZr5lMe'
  >>> bcrypt.hashpw("ElmerFudpecker",'$2b$16$joRzQDFBqWzio.8tjWzJaO')
  '$2b$16$joRzQDFBqWzio.8tjWzJaOdnF5Wha3xW/WDIJQEsI59mvvBZr5lMe'

The speed on real iron is quite the same: 3.6 seconds with cost 16.
But i get a different salt type than on Sid and cannot use the one from Sid.

  >>> bcrypt.hashpw("ElmerFudpecker",'$2b$16$joRzQDFBqWzio.8tjWzJaO')
  ...
  ValueError: Invalid salt
  >>> bcrypt.gensalt(16)
  '$2a$16$TO/1Wc6L2wC8SgJpgQEV9e'
  >>> bcrypt.hashpw("ElmerFudpecker",'$2a$16$TO/1Wc6L2wC8SgJpgQEV9e')
  '$2a$16$TO/1Wc6L2wC8SgJpgQEV9eYsyzF0Gp8iiq/DpEuxGhRExoRf3hyqG'

Note the "$2a$" instead of "$2b$".
To my luck, Sid's bcrypt accepts the Jessie salt and produces the same hash
as Jessie's bcrypt.
So one will not have to change all remote passwords when upgrading bcrypt.

"$2a$" seems to be deprecated according to:
  http://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html
  "some implementations suffered from rare security flaws, replaced by 2b."


Nevertheless. How to avoid python ?


Have a nice day :)

Thomas