Storing and validating encrypted password for login in Pyramid

Question

I am trying to validate an encrypted password for login purposes in Pyramid. So that if the user and password match then the system will authorize the user. At

Answer 1

WARNING INSECURE CODE FOLLOWS

The code below is NOT a SECURE and SAFE way to store/verify user passwords. Please use a library that provides secure password storage, such as passlib which is specifically designed to securely store passwords.

---

You hash the user's password in your User.__init__ using self.password = hashlib.sha224(password).hexdigest(). Just use a similar method to validate it:

class User(Base):
    # Your existing code unchanged

    def validate_password(self, password):
        return self.password == hashlib.sha224(password).hexdigest()

And use it in your view:

user = api.retrieve_user(login)
if user is not None and user.validate_password(password):
    # You logic on success

Answer 2

Please modify your code, add the excellent passlib library, and use secure password storage using bcrypt as the hashing algorithm.

In your projects setup.py add the following as requirements:

• bcrypt
• passlib

And then use the following code snippet for your model:

from passlib.hash import bcrypt

class User(Base):
    __tablename__ = 'users'

    id = Column(Integer, primary_key=True)
    username = Column(String(15), nullable=False, unique=True)
    email = Column(String(300))
    password = Column(String(300), nullable=False)

    def __init__(self, username, password, email):
        self.username = username
        self.password = bcrypt.encrypt(password)
        self.email = email

    def validate_password(self, password):
        return bcrypt.verify(password, self.password)

    def __repr__(self):
        return "<User(username ='%s', password='%s', email='%s')>" % (self.username, self.password, self.email)