2

I'm working on a small uni project where I have a program for a single user in Python using the tkinter module. I want create a screen where they will be required to enter their password. I'm not sure how to do this and where would I store the password?

I have no experience in database but I've heard of MD5 & SHA256 and I was thinking of writing the hashed or encrypted password to a text file and then reading it but I am not sure if this is safe.

The password functionality is to prevent others from looking at the users' personal diary entries.

Improve this question
2
  • Are you trying to just make something proof of concept for your project? Or a robust solution? Commented Jun 10, 2012 at 5:12
  • @jdi Could you please expand on your question? I'm not exactly sure what you are asking. Commented Jun 10, 2012 at 5:15

1 Answer 1

Reset to default
3

This answer takes the simplest route in achieving a measure of security. @J.F.Sebastian points out in comments that you can definitely explore more robust security procedures with greater encryption, but this really depends on your needs

If your goal is just to experiment and create a proof-of-concept login system, you can just go with the encryption + flat file approach. For storing a password, you probably only need SHA1 since what you are encrypting is a variation of the password, and not sensitive data itself. What I mean is that you don't care about the data itself. You only care about comparing encryption results...

First you would pick a secret character set as a "salt". Unfortunately you are using an uncompiled language, so your salt will probably live within your program. But at least the password files by themselves are not useable. ("salt" is being used here as your only secret value. In a more secure approach, the secret would be a separate key used outside of the hashing of the password+salt)

import hashlib
salt = "[email protected],>W+6&`A63/"
user_password = "password"
sha1 = hashlib.sha1()
sha1.update(user_password + salt)
encrypted = sha1.hexdigest()
print encrypted
# 476dc4076d1c7eb43152b78e9dc20d892f660f24

You can store that encrypted sha1 value to a file. Its of no use to anyone without the secret salt value. All you will do is use this value to compare against the future sha1 value when a user authenticates

test_sha1 = hashlib.sha1(raw_input("Enter password: ") + salt).hexdigest()
# Enter password:  password
print encrypted == test_sha1
# True

You never actually know their password. You only know the sha1 value derived from it plus the salt. Think of it like two guards each needing to provide a key, turned simultaneously, to open the vault.

Otherwise.... you can store this in a database, along with the salt value. The procedure would still be the same but you move the salt to a more secure location that requres auth to even query it. No matter what, your salt secret is the most prized possession.

Addressing the SHA256... Greater encryption algorithms are needed for the act of storing the real data in a tangible format that needs protection (or when creating a slower hashing process for your passwords to make brute force cracking take longer to accomplish). For instance, if you decided to store a users private diary entries, you might encrypt against their password, and only store this encrypted format either on disk or in a database. When the user authenticates, you can deliver to them the decrypted data by way of their password. You never store the password, so even you as the author of the software can't access their data without their original password.

Again, as @J.F.Sebastian points out, the more robust approach would be using a bcrypt library: http://www.mindrot.org/projects/py-bcrypt/

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The salt is not a secret, it just protects against a rainbow table attack. Use getpass instead of raw_input. Use bcrypt-like functions instead of sha1. There is no need to save the password or its derivatives to disk. In general don't implement cryptography functions at all, delegate it to known tools.
@J.F.Sebastian How or where would I save the password instead of saving it to the disk?
@J.F.Sebastian: Please note that I had asked the OP if they wanted a "getting started, proof of concept" approach, or a fully robust approach. I assumed this is a small learning project so I am giving a very basic, no deps needed, approach. Also, the "raw_input" is again for illustrative purpose. He is going to be using tkinter GUI for input. If you want to provide the OP an alternative very robust solution, please do so.
@J.F.Sebastian: There are so many resources on SO answering questions about password cryptography. Its not the approach I am taking here. The OP can always research specifics about cryptography. What I assumed the OP wanted was an entry-level way to integrate simple authentication with his tkinter GUI learning project. It would be best if you didn't confuse the OP with short comments, and rather just submitted an answer outlining your more robust approach
@jdi Please don't assume I am a male. Yes, I was looking for an entry-level way to integrate simple authentication with my tkinter GUI learning project so thank you very much for your help.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.