Password field in Django model

Question

I\'m trying to create a model where I can store usernames and passwords for other applications. How can I set a password field in Django so that it is not in plain text in a

Answer 1

If you need a reversible password field, you could use something like this:

from django.db import models
from django.core.exceptions import ValidationError
from django.conf import settings

from os import urandom
from base64 import b64encode, b64decode
from Crypto.Cipher import ARC4
from django import forms



PREFIX = u'\u2620'


class EncryptedCharField(models.CharField): 
    __metaclass__ = models.SubfieldBase

    SALT_SIZE = 8

    def __init__(self, *args, **kwargs):
        self.widget = forms.TextInput       
        super(EncryptedCharField, self).__init__(*args, **kwargs)

    def get_internal_type(self):
        return 'TextField'    

    def to_python(self, value):
        if not value:
            return None
        if isinstance(value, basestring):
            if value.startswith(PREFIX):
                return self.decrypt(value)
            else:
                return value
        else:
            raise ValidationError(u'Failed to encrypt %s.' % value)

    def get_db_prep_value(self, value, connection, prepared=False):
        return self.encrypt(value)        

    def value_to_string(self, instance):
        encriptado = getattr(instance, self.name)
        return self.decrypt(encriptado) if encriptado else None

    @staticmethod
    def encrypt(plaintext):
        plaintext = unicode(plaintext)
        salt = urandom(EncryptedCharField.SALT_SIZE)
        arc4 = ARC4.new(salt + settings.SECRET_KEY)
        plaintext = u"%3d%s%s" % (len(plaintext), plaintext, b64encode(urandom(256-len(plaintext))))
        return PREFIX + u"%s$%s" % (b64encode(salt), b64encode(arc4.encrypt(plaintext.encode('utf-8-sig'))))

    @staticmethod
    def decrypt(ciphertext):
        salt, ciphertext = map(b64decode, ciphertext[1:].split('$'))
        arc4 = ARC4.new(salt + settings.SECRET_KEY)
        plaintext = arc4.decrypt(ciphertext).decode('utf-8-sig')
        return plaintext[3:3+int(plaintext[:3].strip())]

The encryption part is based on the snippet on https://djangosnippets.org/snippets/1330/, I just turned it into a field model, added utf-8 support and added a prefix as a workaround for Django's silly use of to_python()

Answer 2

Unfortunately there isn't an easy answer to this question because it depends on the applications you are trying to authenticate against and it also depends on how secure you want the password fields to be.

If your Django application will be using the password to authenticate against another application that requires a plaintext password to be sent, then your options are:

• Store the password in plain text in your Django model (your question implies you don't want to do this)
• Capture a master password from the user before they can unlock their stored password for other applications
• Obfuscate the password in the model so that it can be accessed by anyone with raw datastore permissions but just isn't obvious to human casual viewers

You could use the Django user password as the master password if you are using Django's builtin user model. This means that you will need to keep that master password in memory which may make some operations difficult for you, such as restarting the server or running load-balanced redundant servers.

Alternative to storing passwords

Luckily many modern applications support this in another way using an access token system which is key based rather than password based. Users are guided through the process of setting up a link between the two applications and, behind the scenes, the applications generate keys to authenticate each other either permanently or with a defined expiration date.

Facebook, for example, supports this model and they have extensive documentation about how it works:

Facebook Developers: Access Tokens and Types

Once you have managed to link with Facebook using [OAuth 2.0](http://tools.ietf.org/html/draft-ietf-oauth-v2- 12) you will probably find it easier to add links to other applications using that same protocol.

Answer 3

Your best bet (I'm aware of) is to dig into the code in the django code, and see how it's done there. As I recall, they generate a salted hash so that the plain text values are never stored anywhere, but rather the hash and salt are.

If you go into the django installation, and poke around for words like hash and salt, you should find it pretty quickly. Sorry for the vague answer, but perhaps it will set you on the right path.

Answer 4

I don't think you are ever going to be able to de-hash an encrypted password that was stored in a manner similar to the normal django User passwords. Part of the security is that they are un-de-hashable.

Answer 5

As @mlissner suggested the auth.User model is a good place to look. If you check the source code you'll see that the password field is a CharField.

password = models.CharField(_('password'), max_length=128, help_text=_("Use 
'[algo]$[salt]$[hexdigest]' or use the <a href=\"password/\">change password form</a>."))

The User model also has a set_password method.

def set_password(self, raw_password):
    import random
    algo = 'sha1'
    salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
    hsh = get_hexdigest(algo, salt, raw_password)
    self.password = '%s$%s$%s' % (algo, salt, hsh)

You can take some clues from this method about creating the password and saving it.