Good evening guys,
Im thinking about making a program sometime in the week where it stores usernames and passwords. The user will be able to directly input their own username and chosen password and it stores them. The program will need to be able to store a username as a variable so what im asking is how can python create a new variable from a user input? because to store usernames it would have to have an infinite list of variables so it needs to be able to generate its own.
I hope you understand what im asking :)
I am also wondering, if this is not possible, would i be able to add their username to a dictionary from an input.
Really baffled by this at the moment and would appreciate any help :)
But that is exactly what lists and dictionaries are for. Variable names are not data: as you say, the more people you have, the more variables you'd need to create. Whereas you could easily store a password in a dictionary keyed by the username:
import getpass
users = {}
username = raw_input('Enter your username?')
password = getpass.getpass('Enter your password?')
users[username] = password
I hope you know, though, that the dictionary will only remain as long as your program is running. If you want it to be permanent, you'll need to store it somewhere, say in a database or a disk file.
As Sukrit said to store username and password values you would assign the raw_input to a variable.
However to have the "dictionary" feature you mention, you might want to interface with a database. In that case the link below shows a tutorial on connecting to a MySQL database and executing queries.
http://www.tutorialspoint.com/python/python_database_access.htm
Related
I have got keyring concept. And I'm trying to get the username list from it.
Unfortunately it seems there is no function for get saved username list.
I hope to show the saved list and choose one for auto logging.
Even though there is credential, it shows only at least username.
If there is no function about it, I will make to username list when login info is saved.
But I don't want it purely. Is there any library for saving data like keyring mechanism?
(encoding and saving private region each machine, but without password. Only String like username)
Basically, I have built a login system.
The first time that a user uses the login system, a text file is created and the username and password are saved there when the user uses a "remember password?" function.
The second time the software uses the system, the system already has the user and password typed in if the user previously used the "remember password?" function.
The thing is, the text file where the password and user are stored can be accessed by simply just going to folder and double clicking on it, which is awful for security reasons.
Is it possible to make it so that the text file can't be accessed outside the program?
It's not possible, as long as you are storing data on your disk, the data will always be readable.
Actuall when you uses .txt, it means that you want it to be readable to others. If you are looking for security, you have to encode your content(Account & Password) to something else that only your program can read.
something similar to chaning 'A' to 'B', '1' to '0', '0' to '7'.....
or another approach used by modern Login Sytem: Hashing your Password
Basically, there isn't a way to securely store a password in clear in a file in the file system.
You can arrange things so that a file can only be read by a specific account on the system. However, someone with admin privilege will (probably) be able to do things that will give themselves access. And there will most likely be other ways to break file system security in some circumstances.
The ideal solution is to NOT store the password. Even storing it encrypted with a private key is a bad idea.
Creating and storing a "salted hash" of a password can be secure ... provided that there is no way that a "bad guy" can capture the password characters before they have been hashed, but I don't think that is going to help you here ... since you apparently need to be able to recover the actual password.
Maybe the best approach would be to investigate "password safe" or "key chain" products that are provided by the client's OS or web browser. Unfortunately, this is going to be platform specific.
You could also just "hide" the file containing the password, or (reversibly) obscure the password. But this is insecure. It can easily be defeated by reverse engineering the steps that your code is taking to hide the password.
I hope I didn't create a duplicate question.
I tried to look for already existing questions, but I didn't find anything.
I have successfully set up a database with username, salt and hashed password for logging in.
For checking the password, I compare the generated hash with the one of the database, see code below.
password_hashed_from_user = res[0][0]
salt = res[0][1]
key_generated = hashlib.pbkdf2_hmac('sha256', password.encode('utf-8'), base64.b64decode(salt.encode('utf-8')), 100000, dklen=128)
key_encoded = base64.b64encode(key_generated).decode('utf-8')
if key_encoded != password_hashed_from_user:
logging.debug("Password was wrong:\n{}\n{}".format(key_encoded, password_hashed_from_user))
return "Username and/or password incorrect", False
The problem now is that I want the user to be able to act completely anonymously, which means I want the user to be able to use a generated token for identification, which cannot be traced back to his account.
Therefore I would need to store the token in a separate table, not correlated to the one with the credentials.
In order for the user to not be able to cheat and just ask the server for a new token every time he logs in (and therefore act as a new user), I wanted to compute the token based on the credentials.
So I figured, I could just have a separate salt and create a new hash based on the password (with the same method as in the code example).
Since the password itself is not stored on the server, this hash could not be generated without the password of the user itself.
This way, the generated token is always the same, as long as the salt doesn't change.
So I can make sure that a specific user is always identified as the same one, while the user can make sure that I cannot trace back his actions.
Background
The background is that I need to create a voting environment, where people have to register and identify themselves in order to prevent double voting, but the vote results, as well as the participation etc should not be traced back to the specific user.
As this is a project in my studies, I cannot just use existing frameworks/libraries.
Now my question:
Is it safe to store two separate hashes of the same password with different salts on the same server or would the duplication make it feasible to recreate the actual password? Both salts would be stored together, together with one of the hashes. The other hash would be in a separate, unrelated table.
I always struggled a bit with encryption on that level.
Is it safe to store two separate hashes of the same password with different salts on the same server or would the duplication make it feasible to recreate the actual password?
Yes, it is safe.
The basic idea behind that statement is that the salt "injects" sufficient uniqueness into the process that the password hash can work with to ensure that two different salts yield unrelated-looking hashes. A real-world example of this would be the worry of two different users having the same password (but different salts) - which also doesn't leak anything about the password and was one of the main motivations to introduce salts.
The more cryptographic argument is either you assume your hash acts like a random oracle - which yields unrelated random ouputs for unique inputs - in which case the uniqueness of the salt hides all output. Or you use a weaker assumption that your password hash is a randomness extractor combined with a pseudo-random function (not unreasonable for a cryptographic hash-based password-hash) with the key in the password input. In that case assuming the password is unknown and sufficiently random all unique salts will be mapped to strings that are indistinguishable from random output and therefore cannot yield any information about the output.
Alternatively you can also use Bellare, Ristenpart and Tessaro's definition for password hashing security which essentially says "breaking a password hash is as hard as guessing the password if said hash is good".
So I have a wiki site made with python using flask. In the site you have to register to submit a post. When I made my account I looked at the db file. Under users it has my username but my password looks something like this
pbkdf2:sha256:50000$trQqtDeG$fb666b434b1920c814101fd3afedf75c9e21e2eebbfe7e6aa9fe4aec3d69b1e3
I made my password poop ( dont ask why lol ) but thats what it comes up as. Lets say if I were to oneday forget my password, how can I check to see what it is?
Edit: Thanks for the explanation ! :)
You can't. This is a one way hash, and it's meant to be that way - it's a common practice not to store plaintext passwords on the database, so that nobody can ever see what is the users password.
The general concept is that given an user password (and a salt) you are able to compute the same hash value and compare it to see if the password is correct, but you are not able to (easily) get the password by obtaining the hash.
To deal with 'what if I forget my password' issue you should implement a password reset procedure.
I am creating a small system where the person can login with a username and a password. The code would then check the text file that contains the username and the password on the same line.
I have no idea how to make this work thought. How come it is so complicated to create a simple login system based off of a text file with the details in it? I believe that it is my philosophy that is wrong and not the actual code.
I have used various codes like the following:
with open('users/users.txt') as f:
{int(k): v for line in f for (k, v) in (line.strip().split(None, 1),)}
Which come to no use. What am I doing wrong?
I'm assuming you have a text file that's laid out like so:
username1 password1
username2 password2
...
From what I gathered from your question, you wish to parse this file and store the results in a dictionary (i.e. username key maps to password value). This sort of stuff is more appropriately stored in a database (SQLite is built-in to Python, for instance), so you should definitely look into learning about databases rather than using a plain text file for data storage, especially user accounts.
Also, you should think about how you should store sensitive information like passwords using techniques such as hashing, but that's something you can think about when you want to make the next step (I'm under the assumption this is a small learning project, so concepts like databases and hashing might be beyond your current scope, but they are absolutely worth learning).
As for your question, you could think about doing something like the following:
accounts = dict()
with open('users.txt') as f:
for account in f:
(usr, pwd) = account.strip().split()
accounts[usr] = pwd
print(accounts)
I think code clarity is more important than keeping it all in one line! The code that I have shown isn't exhaustive, more like a guideline. As I said before, I don't recommend you go this route, so definitely look into databases and proper password storing techniques!
What you could do in the mean time to ensure some form of security is to store the password as a hash (i.e. pwd would be a hash). Then when the user passes the password to the system you can calculate the hash and check if the hashes are equal. This would be better than dealing with plain text passwords. Python has a built-in module for hashing called hashlib. I'm not an expert on hashing, but this would be a decent starting point.