store hashed passwords securely

[derhuerst]

Currently, it seems that ParkAPI v3 stores passwords only hashed with a single iteration of SHA256 hashing, which can be cracked within minutes for short passwords with today's hardware:

https://github.com/mobidata-bw/park-api-v3/blob/8f5da93266ce9f5d1c79bdfc0ca47ddf0786ff5f/webapp/common/server_auth/server_auth_users.py#L92-L94

It would be good to use some industry standard like bcrypt, which some guide on how to do password hashing in Python also mentions, among others. (I just googled for 5s, it is not necessarily the best resource on this topic.)

[the-infinity]

This is valid for user passwords, but not for long generated maschine passwords. Especially with lot's of updates, one of the features of bcrypts, long hashing times, turns to a disadvantage, because requests take much longer as they should. If you have 64 chars random chars, you have enaugh entropy that brute forcing won't ever work, and you also cannot create rainbow tables.

[derhuerst]

Let's hope then that all ParkAPI v3 users out there will use very strong passwords. 🙃