使用来自用户数据库的Python凭据安全登录
[英]Secure login with Python credentials from user database
问题描述
I like to create a secure login with Python but need to check the user table from a database, so that multiple users can log in with their own password. 
我喜欢使用Python创建安全登录名,但需要从数据库中检查用户表,以便多个用户可以使用自己的密码登录。 Mainly like this, works like a charm but not secured of course. 主要是这样,就像魅力一样工作,但是当然不能保证。
while True:
USER = input("User: ")
PASSWORD = getpass.getpass()
db = sqlite3.connect("test.db")
c = db.cursor()
login = c.execute("SELECT * from LOGIN WHERE USER = ? AND PASSWORD = ?", (USER, PASSWORD))
if (len(login.fetchall()) > 0):
print()
print("Welcome")
break
else:
print("Login Failed")
continue
So then I tried hashing the password, work also of course, but then I can't store it on the database to check, so there is no check at all. 因此,我尝试对密码进行哈希处理,当然也可以使用,但是后来我无法将其存储在数据库中进行检查,因此根本就没有检查。
from passlib.hash import sha256_crypt
password = input("Password: ")
hash1 = sha256_crypt.encrypt( password )
hash2 = sha256_crypt.encrypt( password )
print(hash1)
print(hash2)
import getpass
from passlib.hash import sha256_crypt
passwd = getpass.getpass("Please enter the secret password: ")
if sha256_crypt.verify( passwd, hash ):
print("Everything worked!")
else:
print("Try again :(")
I tried like this so that the password hash would be taken from the database but with no success: 我这样尝试过,以便密码哈希将从数据库中获取,但没有成功:
USER = input("User: ")
db = sqlite3.connect("test.db")
c = db.cursor()
hash = "SELECT HASH FROM LOGIN WHERE USER = %s"%USER
print(hash)
passwd = getpass.getpass("Password: ")
if sha256_crypt.verify( passwd, hash ):
print("Everything worked!")
else:
print("Try again :(")
So my question is, what is the best way to create a secure login for my program? 所以我的问题是,为程序创建安全登录名的最佳方法是什么? And I do need different logins for different users as stated in the user table. 正如用户表中所述,我确实需要为不同的用户提供不同的登录名。 I did it on MySQL before but for testing purpose I'm now trying on sql3. 我以前在MySQL上做过,但是出于测试目的,我现在尝试在sql3上做。 So that doesn't matter. 所以没关系。 As long as I know how to approach this. 只要我知道该如何处理。
1 个解决方案
解决方案1
1 已采纳 2017-09-08 14:39:41
Really you should avoid doing this yourself at all. 确实,您应该完全避免自己这样做。 There are plenty of libraries that correctly implement this kind of authentication. 有很多库可以正确实现这种身份验证。
Nevertheless, the pattern to follow is like this: 尽管如此,遵循的模式是这样的:
- Don't store the plain password in the database at all. 根本不要将普通密码存储在数据库中。 When the user account is created, hash the password immediately and store that. 创建用户帐户后,请立即对密码进行哈希处理并进行存储。
- When the user logs in, hash the value they enter for the password, then compare that against the value stored in the database already. 当用户登录时,对输入的密码值进行哈希处理,然后将其与数据库中已存储的值进行比较。
(Note that for decent security, you not only need to use a modern hash algorithm but should also use a salt ). (请注意,为了获得良好的安全性,您不仅需要使用现代的哈希算法,还应该使用salt )。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.