[PySide] secure password handling

Frank Rueter | OHUfx frank at ohufx.com
Wed Dec 11 01:03:50 CET 2013 

just picking up on this again:

I'm still wondering what the best approach is in a PySide app to get 
from the plain text password that a user enters in a widget to an 
encrypted version of it while minimising the risk of theft of the 
original password?!
I am currently encrypting the password via rsa using a public key and 
decrypting it on the server side with a private key.
That's all nice, but what about the text that is entered in the widget 
itself? Isn't it too easy to hack the code to grab the password before 
it is encrypted? Even if I distribute the respective pyside and password 
code as pyc?

Is it a feasible idea to have a pre-compiled PySide widget (not sure how 
to do that) that encrypts the password upon reception and only ever 
store the result of that?

I guess this is a scenario where it would be of benefit to use C++ or 
other compiled languaes (which is beyond my knowledge).

I would greatly appreciate people's input on this!

Cheers,
frank


On 18/06/12 09:59, Frank Rueter | OHUfx wrote:
> Thanks Srini.
>
> On 18/06/12 5:44 AM, Srini Kommoori wrote:
>> For a desktop application, I would recommend using keyring
>> http://pypi.python.org/pypi/keyring
>>
>> For file level password application, I would use PBKDF2 with very high
>> iteration count. For my application, Safebox, I have used this method.
>> Here are the details.
>> http://safebox.fabulasolutions.com/p/safebox-crypto-architecture.html
>>
>> all the best
>>
>> On Jun 15, 2012, at 12:52 AM, Henry Gomersall<heng at cantab.net>  wrote:
>>
>>> On Fri, 2012-06-15 at 11:50 +1200, Frank Rueter | OHUfx wrote:
>>>> I'm wondering about the best way to handle password input in PySide.
>>>> I know about python's hashlib, but am wondering if there is a better
>>>> way
>>>> to provide security between the user's input into a PySide widget and
>>>> the hashing. A friend was wondering about a precompiled widget that
>>>> does
>>>> the hashing directly so the password is never once stored anywhere as
>>>> plain text.
>>>>
>>>> What are people's approaches for this?
>>> so, in light of the recent LinkedIn debacle, the following was brought
>>> to my attention:
>>>
>>> http://codahale.com/how-to-safely-store-a-password/
>>>
>>> I'm not a security expert, which is why I feel the need to listen to all
>>> the arguments!
>>>
>>> Cheers,
>>>
>>> Henry
>>>
>>> _______________________________________________
>>> PySide mailing list
>>> PySide at qt-project.org
>>> http://lists.qt-project.org/mailman/listinfo/pyside
> _______________________________________________
> PySide mailing list
> PySide at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/pyside

More information about the PySide mailing list