Geek Answers Handbook

Secure authentication system in python?

I am making a python web application and I would like to have a secure login system.

I have many times prescribed login systems by entering the user login, and then a random line was saved in the cookie file, which is also stored next to this user in a database that worked fine but was not very secure.

I believe that they understand the principles of such an advanced system like this, and not the specifics:

  • Use HTTPS for login page and important pages
  • Hash the password stored in the database (bcrypt, sha256? Use salt?)
  • Use nonces (encrypted from page url and ip?)

But besides those that I don’t know about, how to reliably check if the registered user is really a user, or how to safely maintain sessions between page requests and multiple open pages, etc.

May I have some directions (preferably specific, as I am new to this advanced security programming.

I'm just trying to perform a basic user login to a single domain with security, nothing complicated.

+4
source share
3 answers

This answer mainly deals with password hashing, not your other subqueries. For them, my main advice is not to reinvent the wheel: use existing frameworks that work well with GAE. It offers native Django deployments, but also has a built-in WebOb installation, so you should also consider the various WebOb platforms (Pyramid, Turbogears, etc.). All of them will have ready-made libraries to handle a lot of this for you (for example: many of the WebOb frameworks use Beaker to process cookie-based sessions)

Regarding password hashing ... since you indicated in some other comments that you are using the Google App Engine, you want to use the SHA512-Crypt password hash.

Other key choices for storing password hashes as secure as possible are BCrypt, PBKDF2, and SCrypt. However, GAE does not offer C-acceleration support for these algorithms, so the only way to deploy them is through a pure-python implementation. Unfortunately, their algorithms do too much bit fiddling for a pure-python implementation to make it fast enough to be both safe and responsive. While the GAE implementation of the Python crypt module offers SHA512-Crypt support with C-acceleration (at least every time I tested it), so it can be run with sufficient power.

As for writing the actual code, you can directly use the crypt module. You will need to take care of creating your own salt strings when transferring them to the crypt, and when encrypting new passwords, call crypt.crypt(passwd, "$6$" + salt) . $6$ reports that it uses SHA512-Crypt.

Alternatively, you can use the Passlib library to handle most of this for you (disclaimer: I am the author of this library). To quickly deploy GAE:

 from passlib.context import CryptContext pwd_context = CryptContext(schemes=["sha512_crypt"], default="sha512_crypt", sha512_crypt__default_rounds=45000) # encrypt password hash = pwd_context.encrypt("toomanysecrets") # verify password ok = pwd_context.verify("wrongpass", hash)

Note: if you care about password security, no matter what you do, do not use one HASH algorithm (salt + password) (for example, Django, PHPass, etc.), since they can be trivially rude -forced.

+5
source

It is difficult to be specific without knowing the settings. However, the only thing you do not need to do is reinvent the wheel. Safety is difficult if your wheel is missing something that you may not know until it is too late.

I won’t be surprised if your web infrastructure comes with a module / library / plugin for working with users, logins and sessions. Read its documentation and use it: I hope this was written by people who know little about security.

If you want to know how to do this, study the documentation and the source of the specified module.

+1
source

I started doing advanced login for python, here is the code you need for simple login, which is secure if you give a password to protect files:

 text_file=open("ID1username.txt", "r") text_file2=open("ID1password.txt", "r") text_file3=open("ID2username.txt", "r") text_file4=open("ID2password.txt", "r") adminusername=text_file.read(1)+text_file.read(7) adminpassword=text_file2.read(1)+text_file2.read(3) standardusername=text_file3.read(1)+text_file3.read(7) standardpassword=text_file4.read(1)+text_file4.read(7) #The above gets the information from text files Name=input("What is your username/staff name: ") username=input("User: ") password=input("Password: ")`enter code here` if username==adminusername and password==adminpassword or username==standardusername and password==standardpassword: print("Access Granted!") print("Thanks for using Joseph Senior login system") elif username==admin and password==adminpassword: print ("Welcome Back "+ Name) else: print("Access Denied!") print(adminusername) print(adminpassword) if username==adminusername and password==adminpassword or username==standardusername and password==standardpassword: update=input("Do you wish to change your username and password, Yes or No: ") if update=="Yes": adminusername=open("adminusername.txt", "w") adminpassword=open("adminpassword.txt", "w") new_username=input("New Username: ") new_password=input("New Password: ") adminusername.writelines(new_username) adminpassword.writelines(new_password) adminusername.close() adminpassword.close() print("Username and Password Changed!") print("Thanks for using Joseph Senior login system") text_file.close() text_file2.close() text_file3.close() text_file4.close()
-2
source

More articles:


All Articles