Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Switching away from py-bcrypt backend

See original GitHub issue

As passlib duly notes, all pip versions (and HEAD too) of py-bcrypt are vulnerable to the BSD wraparound bug:

UserWarning: passlib.hash.bcrypt: Your installation of the 'pybcrypt' backend is vulnerable to the bsd wraparound bug, and should be upgraded or replaced with another backend (this warning will be fatal under passlib 1.7)

Aside from being a serious security vulnerability, being fatal in passlib 1.7+ means it will also make Flask-User unusable under that version until fixed.

Alternative backends supported by passlib like bcrypt should be considered switching to.

Issue Analytics

  • State:closed
  • Created 8 years ago
  • Comments:12 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
lingthiocommented, Aug 19, 2015

Thank you all for contributing. It turns out that you need one of the latest versions of passlib to make bcrypt work in Python 3.3 and 3.4. So:

pip uninstall py-bcrypt
pip install -U passlib==1.6.5
pip install -U bcrypt==2.0.0

I will update the requirements.txt and setup.py for Flask-User v0.6.7

0reactions
Xendercommented, Sep 7, 2015

@scheung38 - I have no idea and I’d also like to know that, but that bcrypt issue doesn’t really have to do with Flask-User in any way beside having passlib as a dependency.

Read more comments on GitHub >

github_iconTop Results From Across the Web

security - bcrypt in python - Stack Overflow
Now I read somewhere that it is not recommended to use bcrypt in python only because it is too slow and this results...
Read more >
Hashing in Action: Understanding bcrypt - Auth0
The bcrypt hashing function allows us to build a password security platform that scales with computation power and always hashes every password ...
Read more >
passlib.hash.bcrypt - BCrypt — Passlib v1.7.4 Documentation
A pure-python implementation of BCrypt, built into Passlib. If no backends are available, hash() and verify() will throw MissingBackendError when they ...
Read more >
Hashing Passwords in Python with BCrypt - Stack Abuse
Regardless of the size of an input string, the hash will have a fixed size which is predefined in a hashing algorithm itself....
Read more >
Hashing passwords with Python and Bcrypt - YouTube
Enjoying this type of content? Head over to my website at https://pythonise.com for full length text based tutorials, courses and guides.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Installation Fails Because of __version__ Import (v0.6)

Next page

User Invitation Functionality