WTForms stores wrong password hash

Question

I'm using WTForms-Alchemy to define forms from model objects. I defined a field as a password thus:

password = db.Column(PasswordType(schemes=['pbkdf2_sha512']), nullable=True)

I persist the form to PostgreSQL and I always end up with the wrong hash in the database. Interestingly, this method worked flawlessly on a previous project that used MySQL.

I've now decided to encrypt my passwords by hand by calling pbkdf2_sha512.encrypt and pbkdf2_sha512.verify manually and the hashes are stored correctly.

Am I missing a configuration parameter? Could this be a bug?

score 1 · Answer 1 · answered Mar 28 '14 at 16:23

1

I'm not entirely sure what the issue here is, but I wanted to mention that using pbkdf2 is not recommended now-a-days -- if you're storing user password hashes you should preferably be storing passwords using bcrypt. bcrypt is a cpu hard hashing algorithm, which makes it much harder to brute force for potential attackers.

answered Mar 28 '14 at 16:23

rdegges

32,786
20
85
109

Do you have a link for that? – ruipacheco Oct 29 '15 at 23:22
http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage – rdegges Oct 30 '15 at 16:17

WTForms stores wrong password hash

1 Answers1