So I have a wiki site made with python using flask. In the site you have to register to submit a post. When I made my account I looked at the db file. Under users it has my username but my password looks something like this
pbkdf2:sha256:50000$trQqtDeG$fb666b434b1920c814101fd3afedf75c9e21e2eebbfe7e6aa9fe4aec3d69b1e3
I made my password poop ( dont ask why lol ) but thats what it comes up as. Lets say if I were to oneday forget my password, how can I check to see what it is?
Edit: Thanks for the explanation ! :)
You can't. This is a one way hash, and it's meant to be that way - it's a common practice not to store plaintext passwords on the database, so that nobody can ever see what is the users password.
The general concept is that given an user password (and a salt) you are able to compute the same hash value and compare it to see if the password is correct, but you are not able to (easily) get the password by obtaining the hash.
To deal with 'what if I forget my password' issue you should implement a password reset procedure.
Related
I'm making an application where there are user accounts in play.
All data of the user is encrypted using a key. This key is encrypted itself, using the hash of the user password. This means that when the user logs in with the correct password, the resulting hash will decrypt the key which can then be used to decrypt all other data of the user. The user password is the "gate" to all user data.
Forgetting their user password means losing their account. I want to implement a way to recover their account.
To recover their account, it needs to be possible to recover the decrypted key without storing it in decrypted form in the database and without encrypting it using a password. It needs to be recoverable using email recovery or something similar.
I haven't found a way to make this work and that's why I'm asking help. I don't need code (it's written in python though if you really want to); just pseudo-code about how one should go about implementing this is enough.
Good evening guys,
Im thinking about making a program sometime in the week where it stores usernames and passwords. The user will be able to directly input their own username and chosen password and it stores them. The program will need to be able to store a username as a variable so what im asking is how can python create a new variable from a user input? because to store usernames it would have to have an infinite list of variables so it needs to be able to generate its own.
I hope you understand what im asking :)
I am also wondering, if this is not possible, would i be able to add their username to a dictionary from an input.
Really baffled by this at the moment and would appreciate any help :)
But that is exactly what lists and dictionaries are for. Variable names are not data: as you say, the more people you have, the more variables you'd need to create. Whereas you could easily store a password in a dictionary keyed by the username:
import getpass
users = {}
username = raw_input('Enter your username?')
password = getpass.getpass('Enter your password?')
users[username] = password
I hope you know, though, that the dictionary will only remain as long as your program is running. If you want it to be permanent, you'll need to store it somewhere, say in a database or a disk file.
As Sukrit said to store username and password values you would assign the raw_input to a variable.
However to have the "dictionary" feature you mention, you might want to interface with a database. In that case the link below shows a tutorial on connecting to a MySQL database and executing queries.
http://www.tutorialspoint.com/python/python_database_access.htm
I'm writing my first web site, and am dealing with user registration.
One common problem to me like to everyone else is to detect user already exist.
I am writing the app with python, and postgres as database.
I have currently come up with 2 ideas:
1)
lock(mutex)
u = select from db where name = input_name
if u == null insert into db (name) values (input_name)
else return 'user already exist'
unlock(mutex)
2)
try: insert into db (name) values(input)
except: return 'user already exist'
The first way is to use mutex lock for clear logic, while the second way using exception to indicate user existence.
Can anyone discuss what are the pros and cons of both of the methods?
I think both will work, and both are equally bad ideas. :) My point is that implementing user authentication in python/pg has been done so many times in the past that there's hardly justification for writing it yourself. Have you had a look at Django, for example? It will take care of this for you, and much more, and let you focus your efforts on your particular application.
Slightly different, I usually do a select query via AJAX to determine if a username already exists, that way I can display a message on the UI explaining that the name is already taken and suggest another before the submit the registration form.
As title said, I want to use python_ldap to get user's password.
Here is python-ldap reference,
http://www.python-ldap.org/doc/html/index.html
I didn't find any function to get user's password.
Is there anybody do the same thing like me?
And is it possible to get user's password?
No system that is designed to be secure will allow access to clear-text passwords. In fact, the system won't even know the clear-text password.
You might want to re-think exactly what you are trying to do.
No, an ldap server will not send out passwords, plain or encrypted.
You can only write them if you provide the correct credentials.
Usually you query an LDAP directory for a given organizational unit, common name, etc. and find things like passwords as attributes. It means you have to know something about the LDAP schema. There's nothing in your question to indicate that you do.
I am making a simple web-app which requires login for the admin page. I came across this incantation on the web.py site (http://webpy.org/cookbook/userauth) :
import hashlib
import web
def POST(self):
i = web.input()
authdb = sqlite3.connect('users.db')
pwdhash = hashlib.md5(i.password).hexdigest()
check = authdb.execute('select * from users where username=? and password=?', (i.username, pwdhash))
if check:
session.loggedin = True
session.username = i.username
raise web.seeother('/results')
else: return render.base("Those login details don't work.")
However the page also gives a somewhat ominous warning: "Do not use this code on real site - this is only for illustration.". I was wondering if there are any major holes in this, I'm somewhat unfamiliar with web-programming so just wanted to make sure that using this code wont unwittingly make the app open to trivial attack vectors?
Many thanks
select * from users where username=? and password=?', (i.username, pwdhash)
^ SQL injection, broseph. If someone does 'or 1=1' into the search field, they'll get the first result in users because of the SELECT * from. Often the first entry is the admin credentials.
The only glaringly obvious problem I see is that the password is stored with as simple MD5 hash with no salt. From your point of view, this isn't so much of an issue, but from the user's point of view it's a major security flaw since someone with access to the database can fairly easily crack sufficiently bad passwords by just googling their MD5 hashes.
The only possible problem I can think of here, could be if it would somehow be possible to exploit MD5 collisions, i.e. that two different strings can generate the same MD5 hash - in that case someone could potentially log in with a password that is not correct, but generates the same MD5 hash.
Changing to a better hashing algorithm such as SHA-1 (or something else available in hashlib) would close this potential security problem.
As far as I know, it would be very difficult to exploit the MD5 collision problem to gain access. Even so, it is broken, and quoting security guru Bruce Schneier from the wikipedia article:
[he] wrote of the attack that "[w]e already knew that MD5 is a broken hash function" and that "no one should be using MD5 anymore."