stackoom
  简体   繁体   中英

Secure login with Python credentials from user database

 原文  2017-09-08 14:06:47       python/ mysql/ security/ authentication/ login

Question

I like to create a secure login with Python but need to check the user table from a database, so that multiple users can log in with their own password. Mainly like this, works like a charm but not secured of course. 

while True:
USER = input("User: ")
PASSWORD = getpass.getpass()

db = sqlite3.connect("test.db")
c = db.cursor()
login = c.execute("SELECT * from LOGIN WHERE USER = ? AND PASSWORD = ?", (USER, PASSWORD))

if (len(login.fetchall()) > 0):
    print()
    print("Welcome")
    break

else:
    print("Login Failed")
    continue

So then I tried hashing the password, work also of course, but then I can't store it on the database to check, so there is no check at all. 

from passlib.hash import sha256_crypt

password = input("Password: ")
hash1 = sha256_crypt.encrypt( password )
hash2 = sha256_crypt.encrypt( password )
print(hash1)
print(hash2)


import getpass
from passlib.hash import sha256_crypt
passwd = getpass.getpass("Please enter the secret password: ")

if sha256_crypt.verify( passwd, hash ):
print("Everything worked!")

else:
print("Try again :(")

I tried like this so that the password hash would be taken from the database but with no success: 

USER = input("User: ")
db = sqlite3.connect("test.db")
c = db.cursor()
hash = "SELECT HASH FROM LOGIN WHERE USER = %s"%USER
print(hash)
passwd = getpass.getpass("Password: ")

if sha256_crypt.verify( passwd, hash ):
    print("Everything worked!")

else:
    print("Try again :(")

So my question is, what is the best way to create a secure login for my program? And I do need different logins for different users as stated in the user table. I did it on MySQL before but for testing purpose I'm now trying on sql3. So that doesn't matter. As long as I know how to approach this.

1 answers

solution1
 1 ACCPTED  2017-09-08 14:39:41

Really you should avoid doing this yourself at all. There are plenty of libraries that correctly implement this kind of authentication.

Nevertheless, the pattern to follow is like this:

  • Don't store the plain password in the database at all. When the user account is created, hash the password immediately and store that.
  • When the user logs in, hash the value they enter for the password, then compare that against the value stored in the database already.

(Note that for decent security, you not only need to use a modern hash algorithm but should also use a salt ).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Simple Python program to connect to a secure wifi network with user input credentials Best approach to secure user account credentials while using Selenium with Python Invalid credentials (Failure) Gmail from Python without Less secure apps Python database connection for user login validate wordpress user login from database using python Python requests with login credentials Secure Python Login Login to Flask app with database credentials django - Cannot login with the user credentials Secure Way to Store Credentials for an API python module
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM