From d45ca06d077e0e17fc8d4aa46667e31a3ff7d55c Mon Sep 17 00:00:00 2001 From: pwn Date: Sun, 14 Dec 2025 14:47:00 +0300 Subject: [PATCH] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20darkbazaar/src/auth.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- darkbazaar/src/auth.py | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/darkbazaar/src/auth.py b/darkbazaar/src/auth.py index 32ab66a..da3af7e 100755 --- a/darkbazaar/src/auth.py +++ b/darkbazaar/src/auth.py @@ -1,9 +1,11 @@ -from passlib.context import CryptContext - -ctx = CryptContext(schemes=["pbkdf2_sha256"], pbkdf2_sha256__rounds=1) - -def get_password_hash(password: str) -> str: - return ctx.hash(password) - -def verify_password(plain_password: str, hashed_password: str) -> bool: - return ctx.verify(plain_password, hashed_password) +from passlib.context import CryptContext + +# SECURITY FIX: Use proper PBKDF2 rounds (29000+ recommended, using 260000 for better security) +# Previously was using only 1 round which made password cracking trivial +ctx = CryptContext(schemes=["pbkdf2_sha256"], pbkdf2_sha256__rounds=260000) + +def get_password_hash(password: str) -> str: + return ctx.hash(password) + +def verify_password(plain_password: str, hashed_password: str) -> bool: + return ctx.verify(plain_password, hashed_password)