0

I like to create a secure login with Python but need to check the user table from a database, so that multiple users can log in with their own password. Mainly like this, works like a charm but not secured of course.

while True:
USER = input("User: ")
PASSWORD = getpass.getpass()

db = sqlite3.connect("test.db")
c = db.cursor()
login = c.execute("SELECT * from LOGIN WHERE USER = ? AND PASSWORD = ?", (USER, PASSWORD))

if (len(login.fetchall()) > 0):
    print()
    print("Welcome")
    break

else:
    print("Login Failed")
    continue

So then I tried hashing the password, work also of course, but then I can't store it on the database to check, so there is no check at all.

from passlib.hash import sha256_crypt

password = input("Password: ")
hash1 = sha256_crypt.encrypt( password )
hash2 = sha256_crypt.encrypt( password )
print(hash1)
print(hash2)


import getpass
from passlib.hash import sha256_crypt
passwd = getpass.getpass("Please enter the secret password: ")

if sha256_crypt.verify( passwd, hash ):
print("Everything worked!")

else:
print("Try again :(")

I tried like this so that the password hash would be taken from the database but with no success:

USER = input("User: ")
db = sqlite3.connect("test.db")
c = db.cursor()
hash = "SELECT HASH FROM LOGIN WHERE USER = %s"%USER
print(hash)
passwd = getpass.getpass("Password: ")

if sha256_crypt.verify( passwd, hash ):
    print("Everything worked!")

else:
    print("Try again :(")

So my question is, what is the best way to create a secure login for my program? And I do need different logins for different users as stated in the user table. I did it on MySQL before but for testing purpose I'm now trying on sql3. So that doesn't matter. As long as I know how to approach this.

Improve this question
4
  • I do like the first method tho. But since its plain text i dont think its much secure :P Commented Sep 8, 2017 at 14:08
  • Don't use the first one, it's not safe at all. If someone has access to the database he knows all the passwords. Save a hashed password, and hash the input password. After that you can check if they match. I don't know how your application is going to be used, but if security is really important try using a salt pepper method. Commented Sep 8, 2017 at 14:16
  • You mean like the last option ? But then how can i check them ? hash = "SELECT HASH FROM LOGIN WHERE USER = %s"%USER doesnt work. Commented Sep 8, 2017 at 14:19
  • Yes, I don't have the passlib library so I can't test it. But if you have a method which hashes a string, you can hash that input string (password) and check if it's equal to the hashed password in your database table. Commented Sep 8, 2017 at 14:23

1 Answer 1

Reset to default
2

Really you should avoid doing this yourself at all. There are plenty of libraries that correctly implement this kind of authentication.

Nevertheless, the pattern to follow is like this:

  • Don't store the plain password in the database at all. When the user account is created, hash the password immediately and store that.
  • When the user logs in, hash the value they enter for the password, then compare that against the value stored in the database already.

(Note that for decent security, you not only need to use a modern hash algorithm but should also use a salt).

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I don't understand what you mean. It's a simple SELECT password FROM table WHERE user = %s;, you don't need to do anything special.
Apperently i can only select that hash if i put in more then 2 values. Like the found function..
I still don't understand. As I clearly stated twice, you should not be doing anything with the HASH function in the database.
So no password storage at all in the database ? i need a little break here, if i cant fix this soon then i make some encryption my own, because this comparing thing doesnt work out for me.. Maybe another sugestion ? What i can use ? i do need the option for every user on the list to log in.
I can't understand how my answer was unclear. Store the hashed password only. Retrieve that hashed value directly from the db. Hash the entered password and compare it with the previously hashed version from the db.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.