tags:

views:

349

answers:

2
+1  Q: 

Best practice for two way hashing in python?

I want to allow users to validate their email address by clicking on a link. The link would look something like

http://www.example.com/verifyemail?id=some-random-string

When I am sending this email, I want to be able to easily generate this 'some-random-string' from row id of user, an integer. and when user clicks on this link, generate that integer back.

Only requirement is this 'some-random-string' should be as opaque and non-guessable to the user as possible.

Finally, this is what I settled on

def p3_encrypt_safe(plain, key):
    return base64.urlsafe_b64encode(p3_encrypt(plain, key))

used the nice crypto library from http://www.nightsong.com/phr/crypto/p3.py addition of base64 safe encoding is mine.

+3  A: 

Use encryption, that's exactly what it's designed for. Blowfish, AES, even DES3 if you don't need particularly high security.

Alternatively, you could compute an SHA-256 or SHA-512 (or whatever) hash of the email address and store it in a database along with the email address itself. That way you can just look up the email address using the hash as a key.

David Zaslavsky  2009-03-29 00:10:10
An SHA hash of an ID is slightly easier to deal with than an encrypted ID. Save all the hashes in your database and compare the hash you get with one of those.
S.Lott  2009-03-29 01:48:40
+5  A: 

Your best choice is to generate a hash (one-way function) of some of the user's data. For example, to generate a hash of user's row id, you could use something like:

>>> import hashlib
>>> hashlib.sha1('3').hexdigest()
'77de68daecd823babbb58edb1c8e14d7106e83bb'

However, basing your pseudorandom string only on a row id is not very secure, as the user could easily reverse the hash (try googling 77de68daecd823babbb58edb1c8e14d7106e83bb) of such a short string.

A simple solution here is to "salt" the hashed string, i.e. add the same secret string to every value that is hashed. For example:

>>> hashlib.sha1('3' + '[email protected]' + 'somestringconstant').hexdigest()
'b3ca694a9987f39783a324f00cfe8279601decd3'

If you google b3ca694a9987f39783a324f00cfe8279601decd3, probably the only result will be a link to this answer :-), which is not a proof, but a good hint that this hash is quite unique.

DzinX  2009-03-29 08:18:36

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python