Python Password Protection

Question

I am a beginner so if this question sounds stupid, please bear with me.

I am wondering that when we write code for username/password check in python, if it is not c

Answer 1

Let's start with the basic now, shall we? While doing the login credential password encryption, we should always do one way encryption. One way encryption means, you can't decrypt the text once it's encrypted. There'a encryption called md5 which are only one way encryption.

There's already a library available for it in Python called hashlib.

From the python docs:

>>> import hashlib
>>> m = hashlib.md5()
>>> m.update("Nobody inspects")
>>> m.update(" the spammish repetition")
>>> m.digest()
'\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9'
>>> m.digest_size
16
>>> m.block_size
64

More on this: http://docs.python.org/2/library/hashlib.html?highlight=hashlib#hashlib

Answer 2

One way would be to store the password in a hash form of any algorithm and check if the hash of the password given is equal to the stored password hash.

The second way might be to take a password like "cat" and convert them to ascii and and add them up and store the sum. Then you can compare the given password's ascii sum to the one you stored.

OR you can combine them both! Maybe also hash the ascii sum and compare the given pass word's ascii sun's hash.

These are the three ways I know at least. And you can use chr or ord default function in python to convert to and back repeatedly to ascii. And you can use hashlib to hash.

Answer 3

On a server only server administrators should have the right to change the code. Hence, to change the code you have to have administrator access, and if you do, then you can access everything anyway. :-)

The same goes for a client program. If the only security is the password check, you don't need to get around the password check, you can just read the data files directly.

In both cases, to prevent people that has access to the files from reading those files a password check is not enough. You have to encrypt the data.

Answer 4

If you are doing the checking on a user's machine, they can edit the code how they like, pretty much no matter what you do. If you need security like this then the code should be run somewhere inaccessible, for instance a server. "Don't trust the client" is an important computer security principle.

I think what you want to do is make a server script that can only be accessed by a password being given to it by the client program. This server program will function very much like the example code given in other answers: when a new client is created they send a plaintext password to the server which puts it through a one-way encryption, and stores it. Then, when a client wants to use the code that is the main body of your program, they send a password. The server puts this through the one-way encryption, and sees if it matches any stored, hashed passwords. If it does, it executes the code in the main body of the program, and sends the result back to the user.

On a related topic, the other answers suggest using the md5 algorithm. However, this is not the most secure algorithm - while secure enough for many purposes, the hashlib module in the standard library gives other, more secure algorithms, and there is no reason not to use these instead.

Answer 5

You can check the hash of what a user has entered vs the hash of your password to check if the user has entered the correct password, I have made a very simple example to show this:

""" Python Password Check """
import hashlib
import sys

password = "2034f6e32958647fdff75d265b455ebf"

def main():
    # Code goes here
    print "Doing some stuff"
    sys.exit(0)


while True:
    input = raw_input("Enter password: ")
    if hashlib.md5(input).hexdigest() == password:
        print "welcome to the program"
        main()
    else:
        print "Wrong Password"

In the example the hashed password is "secretpassword" which hashes to "2034f6e32958647fdff75d265b455ebf" so as you can see even if the source code is decompiled you can still only see the hash of the password rather than the plan text of the password.

To give this a bit of an update for 2016, currently if your hashing passwords in python you should be looking at one of the three following libs:

passlib

>>> # import the hash algorithm
>>> from passlib.hash import sha256_crypt

>>> # generate new salt, and hash a password
>>> hash = sha256_crypt.encrypt("toomanysecrets")
>>> hash
'$5$rounds=80000$zvpXD3gCkrt7tw.1$QqeTSolNHEfgryc5oMgiq1o8qCEAcmye3FoMSuvgToC'

>>> # verifying the password
>>> sha256_crypt.verify("toomanysecrets", hash)
True
>>> sha256_crypt.verify("joshua", hash)
False

Example lifted from here

bcrypt

import bcrypt
password = b"super secret password"
# Hash a password for the first time, with a certain number of rounds
hashed = bcrypt.hashpw(password, bcrypt.gensalt(14))
# Check that a unhashed password matches one that has previously been
#   hashed
if bcrypt.hashpw(password, hashed) == hashed:
    print("It Matches!")
else:
    print("It Does not Match :(")

django-scrypt

Answer 6

Edit: Your revised question makes clear that you're concerned about people editing the code to bypass a password check. Yes, that is quite possible. You can deliver your code in .pyc form, but that won't necessarily prevent someone from decompiling and altering it. Unfortunately, Python's just not designed to prevent code alteration. The best you can do is perform some kind of authentication transaction with a secure server, so that no matter how someone alters the code, they can't bypass that step. Depending on your exact application, that might be overkill.

---

The problem of how to manage password authentication is a tricky security problem on which people spend entire careers. However, here's some information about it, that assumes that you're trying to roll your own password authentication from scratch:

Even for casual password protection, as a general rule, user passwords are not stored in a plaintext form. Instead, usually a reliable one-way hash function is used to create a bit pattern that doesn't resemble the password. When a password is entered, the same hash function is applied and the bit patterns are compared. If they're the same, the likelihood is quite high that the password was entered correctly.

What constitutes a "reliable" hash function is tricky. Several are in common use, and some of the common hash functions are susceptible to known exploits.

Noelkd provides some code that demonstrates this approach, although MD5, which his code uses, is (I believe) one that's been compromised to an extent that there are better choices out there. This article also offers some code to do something similar:

Authentication of Users and Passwords in Python

If your concern is storing the actual password that you have to pass to the SQLite database in plaintext, that's a different problem. Most of the time, I've seen such passwords stored in plaintext in either scripts or a configuration file, and the application is structured in such a way that compromising that password is a matter of modest risk.