48247

Secure login with Python credentials from user database

Question:

I like to create a secure login with Python but need to check the user table from a database, so that multiple users can log in with their own password. Mainly like this, works like a charm but not secured of course.

while True: USER = input("User: ") PASSWORD = getpass.getpass() db = sqlite3.connect("test.db") c = db.cursor() login = c.execute("SELECT * from LOGIN WHERE USER = ? AND PASSWORD = ?", (USER, PASSWORD)) if (len(login.fetchall()) > 0): print() print("Welcome") break else: print("Login Failed") continue

So then I tried hashing the password, work also of course, but then I can't store it on the database to check, so there is no check at all.

from passlib.hash import sha256_crypt password = input("Password: ") hash1 = sha256_crypt.encrypt( password ) hash2 = sha256_crypt.encrypt( password ) print(hash1) print(hash2) import getpass from passlib.hash import sha256_crypt passwd = getpass.getpass("Please enter the secret password: ") if sha256_crypt.verify( passwd, hash ): print("Everything worked!") else: print("Try again :(")

I tried like this so that the password hash would be taken from the database but with no success:

USER = input("User: ") db = sqlite3.connect("test.db") c = db.cursor() hash = "SELECT HASH FROM LOGIN WHERE USER = %s"%USER print(hash) passwd = getpass.getpass("Password: ") if sha256_crypt.verify( passwd, hash ): print("Everything worked!") else: print("Try again :(")

So my question is, what is the best way to create a secure login for my program? And I do need different logins for different users as stated in the user table. I did it on MySQL before but for testing purpose I'm now trying on sql3. So that doesn't matter. As long as I know how to approach this.

Answer1:

Really you should avoid doing this yourself at all. There are plenty of libraries that correctly implement this kind of authentication.

Nevertheless, the pattern to follow is like this:

<ul><li>Don't store the plain password in the database at all. When the user account is created, hash the password immediately and store that.</li> <li>When the user logs in, hash the value they enter for the password, then compare that against the value stored in the database already.</li> </ul>

(Note that for decent security, you not only need to use a modern hash algorithm but should also use a <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)" rel="nofollow">salt</a>).

Recommend

  • Is there a way to remove too many if else conditions?
  • Foreach loop using string to output XML
  • Count the rows with same ID in php
  • Content out of div PHP PDO
  • Query timeout expired in django-mssql when executing custom SQL directly
  • How can I count unique terms in a plaintext file case-insensitively?
  • Programmatically Update Linked Named Range of excel object in MS Word (2007)
  • Pre-populated SQLite Database not reading properly in Android Studio
  • Converting query results into DataFrame in python
  • Possible to get mouse events fired when cursor is outside page?
  • nonblocking BIO_do_connect blocked when there is no internet connected
  • Redux Form - Not able to type anything in input
  • Sort List of Strings By Version
  • Get history of file changes from TFS to implement custom “blame”-behaviour of exceptions
  • Remove final comma from string in vb.net
  • copying resource to sdcard gives a damaged file in android
  • Set the selected item in dropdownlist in MVC3
  • jQuery .attr() and value
  • Highlight one bar in a series in highcharts?
  • Recording logins for password protected directories
  • Is there any way to access browser form field suggestions from JavaScript?
  • Deselecting radio buttons while keeping the View Model in synch
  • Getting last autonumber in access
  • How to check if every primary key value is being referenced as foreign key in another table
  • MySQL WHERE-condition in procedure ignored
  • JSON with duplicate key names losing information when parsed
  • Display Images one by one with next and previous functionality
  • ORA-29908: missing primary invocation for ancillary operator
  • Jquery - Jquery Wysiwyg return html as a string
  • How to get next/previous record number?
  • Return words with double consecutive letters
  • Getting error when using KSoap library to consume .NET web services
  • How do you join a server to an Active Directory (domain)?
  • How does Linux kernel interrupt the application?
  • Reading document lines to the user (python)
  • Observable and ngFor in Angular 2
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?
  • Python/Django TangoWithDjango Models and Databases