Geek Answers Handbook

Python password protection

I am new, so if this question sounds stupid, please bear with me.

I am wondering when we write code to verify the username / password in python, if it is not compiled by exe ie script state , people will not be able to easily open the file and remove the code potion that performs password verification

I assume the whole program is completely written in python , no C or C++ .

Even if I use a program like py2exe , it can be easily decompiled back to source code. So, does this mean that it is useless to do a password check?

How do professional programmers deal with this?

+7
python passwords password-encryption password-protection
source share
7 answers

Edit: Your revised question makes it clear that you are worried that people editing the code bypass the password check. Yes, it is quite possible. You can deliver your code in .pyc form, but that does not necessarily prevent someone from decompiling and changing it. Unfortunately, Python is simply not designed to prevent code changes. The best you can do is perform some kind of authentication transaction with a secure server, so no matter how someone changes the code, they cannot get around this step. Depending on your specific application, this may be redundant.

The problem of managing password authentication is a complex security problem that people spend their whole careers with. However, there is some information about this that suggests that you are trying to collapse your own authentication with a password:

Even for accidental password protection, as a rule, user passwords are not stored in clear text. Instead, a robust one-way hash function is usually created to create a bit pattern that does not look like a password. When a password is entered, the same hash function is applied and bit patterns are compared. If they are the same, the probability that the password is entered correctly is very high.

What constitutes a "reliable" hash function is complex. Some of them are widely used, and some of the common hash functions are susceptible to known exploits.

Noelkd provides some code demonstrating this approach, although the MD5 that uses its code is (I believe) that has been compromised to the point that there is a better choice. This article also offers some code to do something like this:

Python user and password authentication

If your problem is to save the actual password, which you must pass to plaintext in the SQLite database, this is another problem. In most cases, I saw such passwords stored in clear text both in scripts and in the configuration file, and the application is structured in such a way that compromising this password poses a modest risk.

+5
source share

You can check the hash of what the user entered in the hash of your password to check if the user has entered the correct password, I made a very simple example to show this:

 """ Python Password Check """ import hashlib import sys password = "2034f6e32958647fdff75d265b455ebf" def main(): # Code goes here print "Doing some stuff" sys.exit(0) while True: input = raw_input("Enter password: ") if hashlib.md5(input).hexdigest() == password: print "welcome to the program" main() else: print "Wrong Password"

In the example, the hashed password is "secretpassword" , which hashes to "2034f6e32958647fdff75d265b455ebf" , so that you can see even if the source code is decompiled, you can still only see the password hash, not the password plan text.

To give this a little update for 2016, for now, if your hashing passwords in python you should look at one of the three following libraries:

passlib

 >>> # import the hash algorithm >>> from passlib.hash import sha256_crypt >>> # generate new salt, and hash a password >>> hash = sha256_crypt.encrypt("toomanysecrets") >>> hash '$5$rounds=80000$zvpXD3gCkrt7tw.1$QqeTSolNHEfgryc5oMgiq1o8qCEAcmye3FoMSuvgToC' >>> # verifying the password >>> sha256_crypt.verify("toomanysecrets", hash) True >>> sha256_crypt.verify("joshua", hash) False

Example taken from here

bcrypt

 import bcrypt password = b"super secret password" # Hash a password for the first time, with a certain number of rounds hashed = bcrypt.hashpw(password, bcrypt.gensalt(14)) # Check that a unhashed password matches one that has previously been # hashed if bcrypt.hashpw(password, hashed) == hashed: print("It Matches!") else: print("It Does not Match :(")

django-scrypt

+5
source share

If you do the validation on a user machine, they can edit the code as they like, pretty much no matter what you do. If you need such security, then the code should be run somewhere inaccessible, such as a server. β€œDo not trust the client” is an important principle of computer security.

I think that you want to make a server script that can only be accessed with the password provided by the client program. This server program will be very similar to the example code provided in other answers: when creating a new client, they send an unencrypted password to the server, which transmits it in one-way encryption and saves it. Then, when the client wants to use the code, which is the main body of your program, they send the password. The server passes this through one-way encryption and sees if it matches any stored, hashed passwords. If so, it executes the code in the main part of the program and sends the result back to the user.

In the relevant topic, the other answers suggest using the md5 algorithm. However, this is not the safest algorithm - although it is safe enough for many purposes, the hashlib module in the standard library provides other, more secure algorithms, and there is no reason not to use them instead.

+4
source share

On a server, only server administrators should be allowed to change the code. Therefore, to change the code, you must have administrator access, and if so, then you can still access everything. :-)

The same goes for the client program. If the only security is password verification, you do not need to bypass password verification, you can simply read the data files directly.

In both cases, so that people who have access to files do not view these files, password verification is not enough. You must encrypt the data.

+2
source share

Let's start with the main one, right? When encrypting credential passwords, we should always do one-way encryption. One-way encryption means that you cannot decrypt text after it is encrypted. There is encryption called md5 , which is only one way to encrypt.

There is already a library available to it in Python called hashlib .

From python docs:

 >>> import hashlib >>> m = hashlib.md5() >>> m.update("Nobody inspects") >>> m.update(" the spammish repetition") >>> m.digest() '\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9' >>> m.digest_size 16 >>> m.block_size 64

More on this: http://docs.python.org/2/library/hashlib.html?highlight=hashlib#hashlib

+1
source share

To protect the data stored on the client machine, you need to encrypt it. Period.

If you trust an authorized user, you can use a password-based encryption key (many other answers on Stack Exchange address this), and we hope that it is smart enough to protect your computer from malware.

If you do not trust an authorized user (aka DRM), you are simply out of luck - find another project. -)

0
source share

I spent the last couple of days clarifying this and running it through password crackers, and it seems to be holding on pretty strong.

Here is my code for you to view:

 import time import os import random import string passwordScore = 0 def optionOne(): global passwordScore #Code for checking a password os.system('cls') print('Option One has been selected') password = input('Please type in your password here: ') #Password check begins if (len(password) > 7) and (password.isspace() == False): #Check for capitalisation for p in password: if p.isupper() == True: passwordScore += 1 else: pass passwordScore += 2 for s in string.punctuation: #Beginning test for special letters for p in password: if s == p: passwordScore += 1 else: pass else: pass # Returning results to the user if passwordScore >= 5: print('Your password is safe enough to use') time.sleep(2) elif passwordScore == 3: print('We believe your password could be safer') time.sleep(2) else: print('Your password is not safe enough to use') print('using this password may place your data at risk') time.sleep(2) def optionTwo(): #Code for creating a password at random print('Option Two has been selected') chars = string.ascii_uppercase + string.ascii_lowercase + string.digits + string.punctuation size = random.randint(8, 12) newPassword = ''.join(random.choice(chars) for x in range(size)) print(newPassword) def start(): print('Option 1: Check my passsword') print('Option 2: Create a password') option = input('Please chose your option here [ENTER]: ') if option == '1': #Option 1 has been selected return optionOne() elif option == '2': #Option 2 has been selected return optionTwo() else: #An error has occured print('You have not selected a valid option') time.sleep(1) os.system('cls') return start() for i in range(1): start()

This should do the job for almost everyone, as long as you customize it to your needs!

-one
source share

More articles:


All Articles