patternpythonModerate
Creating Original Database Algorithm--Login System
Viewed 0 times
creatingoriginalsystemlogindatabasealgorithm
Problem
For fun, I have been making a very basic login system in Python. I was going to look up an algorithm or something for user info storage and transfer, but then decided it would be more fun to come up with and implement it myself. What I would like to know is:
-
Is there anyway to make it secure (i.e.-encrypting the password without revealing the algorithm in the file)?
-
Can the algorithm I used be made any more efficient?
-
Is it cleanly written? I tried to take into account the comments on my last question regarding simplifying code and any comments about its readability would be appreciated--by secondary goal is beautiful code.
```
#This program will do a couple of things.
#The first time it is run, it will request that you add a password. Once you do, it will change the check_e$
#Every subsequent time, it will check the password in the other file and then match user input.
#If user input is correct it will display a joke.
#If user input is incorrect it will exit the program.
#Function to help the user pick a password
def pick_password():
file = '/home/vhx/Documents/code/pydata_test/password_dbs/pswd.txt'
print 'Please pick a password.'
password = raw_input()
target = open(file, 'w')
target.write(password)
file = '/home/vhx/Documents/code/pydata_test/password_dbs/existence_check.txt'
target = open(file, 'w')
target.write('YES')
# file.close()
#Function to check the password with the password located in pswd.txt
def password_check():
file = '/home/vhx/Documents/code/pydata_test/password_dbs/pswd.txt'
pwd_check = open(file).read()
userpass = raw_input('Please input a password.\n')
if userpass == pwd_check:
print 'Password accepted!'
print 'Ready for the joke?'
raw_input()
print 'Why did the fly fly? Because the spider spied her!'
elif userpass != pwd_check:
print 'Sorry,
-
Is there anyway to make it secure (i.e.-encrypting the password without revealing the algorithm in the file)?
-
Can the algorithm I used be made any more efficient?
-
Is it cleanly written? I tried to take into account the comments on my last question regarding simplifying code and any comments about its readability would be appreciated--by secondary goal is beautiful code.
```
#This program will do a couple of things.
#The first time it is run, it will request that you add a password. Once you do, it will change the check_e$
#Every subsequent time, it will check the password in the other file and then match user input.
#If user input is correct it will display a joke.
#If user input is incorrect it will exit the program.
#Function to help the user pick a password
def pick_password():
file = '/home/vhx/Documents/code/pydata_test/password_dbs/pswd.txt'
print 'Please pick a password.'
password = raw_input()
target = open(file, 'w')
target.write(password)
file = '/home/vhx/Documents/code/pydata_test/password_dbs/existence_check.txt'
target = open(file, 'w')
target.write('YES')
# file.close()
#Function to check the password with the password located in pswd.txt
def password_check():
file = '/home/vhx/Documents/code/pydata_test/password_dbs/pswd.txt'
pwd_check = open(file).read()
userpass = raw_input('Please input a password.\n')
if userpass == pwd_check:
print 'Password accepted!'
print 'Ready for the joke?'
raw_input()
print 'Why did the fly fly? Because the spider spied her!'
elif userpass != pwd_check:
print 'Sorry,
Solution
It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store passwords salted and cryptographically hashed. That way, if an attacker gains access to the file, he still has to crack the password, which can be extremely difficult if the password is strong enough.
To verify a password, apply the same algorithm to the user input as used when creating the salted and cryptographically hashed version. The result will only match the stored password if the user entered the correct password.
@Boris left a great comment, quoting it verbatim:
Encrypted passwords are a bad idea as the encryption key needs to be stored in the code, then then it's just a question of looking at the code to gain the key. Hashing is irreversible and using a good, random, unique, salt per password and a purpose built cryptographic hashing algorithm is the only acceptable way of storing passwords - the best idea is to use something like
To verify a password, apply the same algorithm to the user input as used when creating the salted and cryptographically hashed version. The result will only match the stored password if the user entered the correct password.
@Boris left a great comment, quoting it verbatim:
Encrypted passwords are a bad idea as the encryption key needs to be stored in the code, then then it's just a question of looking at the code to gain the key. Hashing is irreversible and using a good, random, unique, salt per password and a purpose built cryptographic hashing algorithm is the only acceptable way of storing passwords - the best idea is to use something like
bcrypt which is industry standard and rolls all this together.Context
StackExchange Code Review Q#96145, answer score: 10
Revisions (0)
No revisions yet.