Another security question

Fri Dec 23 05:19:00 EST 2016

Hi all
This is a follow-up to my recent 'security question' post.
I am starting a new thread, for 2 reasons -
1) I sent a link to the previous thread to my ISP for their information. It 
is up to them whether they do anything with it, but I wanted to keep that 
thread focused on the original issue raised.
2) This one is more on-topic, as it is to do with my python project.
Having read the previous thread and various links, I want to review the way 
I handle passwords in my accounting application.
At present I just store a SHA-1 hash of the password for each user. Here are 
my thoughts on improving this.
1. Generate a 'salt' for each password. There seem to be two ways in the 
standard library to do this -
 import os
 salt = os.urandom(16)
 import secrets
 salt = secrets.token_bytes(16)
 My guess is that it will not make much difference which I use.
2. Store the salt in the database along with the user-id and hashed password 
for each user.
3. Generate the password from the string supplied by the user as follows -
 from hashlib import blake2b
 password = blake2b('my_password'.encode('utf-8'), salt=salt).digest()
The hashlib docs have the following warning -
"Salted hashing (or just hashing) with BLAKE2 or any other general-purpose 
cryptographic hash function, such as SHA-256, is not suitable for hashing 
passwords. See BLAKE2 FAQ for more information."
I propose to ignore this warning. I feel that, for my purposes, the above 
procedure is adequate.
Does all this sound reasonable?
Any comments appreciated.
Frank Millman