Encrypt passwords

Wichert Akkerman wichert at wiggy.net
Fri Aug 7 07:04:26 UTC 2009


On 2009-8-7 09:02, Wichert Akkerman wrote:
> This should be about right, although it seems to go wrong still with
> passwords over 16 characters in a way that I have not figured out yet:
>
> def ObfuscatePassword(challenge, password):
> xorpad=challenge.decode("hex")
> assert len(xorpad)==16
> uamsecret=pylons.config.get("chilli.uamsecret", None)
> if uamsecret:
> xorpad=hashlib.md5(xorpad+uamsecret).digest()
>
> while len(xorpad)<len(password):
> xorpad+=xorpad
> # NUL-pad the password to make it a multiple of the XOR-pad size
> password+="\x00"*(len(xorpad)-len(password))
>
> assert len(password)==len(xorpad)
>
> result=[]
> for i in range(len(password)):
> result.append(chr(ord(password[i]) ^ ord(xorpad[i])))
> result="".join(result)
> return result.encode("hex")

And for completeness here are the unit tests that go with it:

class TestObfuscatePassword(unittest.TestCase):
     def setUp(self):
         import pylons
         self._pylons_config=pylons.config
         pylons.config=dict()

     def tearDown(self):
         import pylons
         pylons.config=self._pylons_config

     def setSecret(self, secret):
         import pylons
         pylons.config["chilli.uamsecret"]=secret

     def testSimplePasswordNoSecret(self):
         pw=ObfuscatePassword("0102030405060708090A0B0C0D0E0F00", "AAAA")
         self.assertEqual(len(pw), 32, "Password padded to challenge 
length")
         self.assertEqual(pw, "4043424505060708090a0b0c0d0e0f00")

     def testSimplePasswordWithSecret(self):
         self.setSecret("secret")
         pw=ObfuscatePassword("0102030405060708090A0B0C0D0E0F00", "AAAA")
         self.assertEqual(pw, "417fad1cfde2ffcdab12cf6db574ea9a")

     def testPasswordLongerThanChallenge(self):
         pw=ObfuscatePassword("01020102010201020102010201020102", 
"AAAAAAAAAAAAAAAAAAAA")
         self.assertEqual(len(pw), 64)
         self.assertEqual(pw, 
"4043404340434043404340434043404340434043010201020102010201020102")

     def testEvilPassword(self):
         evil="a`~!@#$%^&*()-_="
         pw=ObfuscatePassword("00000000000000000000000000000000", evil)
         self.assertEqual(pw, evil.encode("hex"))


Wichert.


-- 
Wichert Akkerman <wichert at wiggy.net>   It is simple to make things.
http://www.wiggy.net/                  It is hard to make things simple.



More information about the Chilli mailing list