2

I am recently working on a program using Pyqt5, and building my self a small software.

the software requires username and password to login , and I want to set once the user name and password, save it in a safe way, and to prevent someone who has my code\ access to my computer to be able to login to my software.

what I did so far is to use keyring module to set a password, and to hash it with passlib - which eventully saves my password after doing hash to it. when the user trys to login - the code takes the entered password and compare it to the hash password in keyring files.

So to the questions are:

  1. is it a good way to save the user password like this? is it safe?
  2. how can i prevent someone with access to my code or my computer to just open the code and look on the password?

here is the password hash script:

from passlib.context import CryptContext
import keyring

# create CryptContext Object
context = CryptContext(
    schemes=["pbkdf2_sha256"],
    default="pbkdf2_sha256",
    pbkdf2_sha256__default_rounds=50000
)


def password_encrypter (password):
    # hash password
    hashed_password = context.hash(password)
    return hashed_password

def password_hiding (password):

    # Gets password from user and encrypt it
    hashed_password = password_encrypter(password)

    # Hides The Password
    keyring.set_password("service_name", "user_name", hashed_password)

    check_if_hashed = context.verify(password, hashed_password)
    password1 = keyring.get_password("service_name", "user_name")
    
    # Just for testing 
    print ("password from user" , password)
    print ("hashed password : " ,hashed_password)
    print("password from keyring: " , password1)
    return password1


def password_validatation (password):
    hidden_password = password_hiding(password)
    check_if_hashed = context.verify(password, hidden_password)
    print(check_if_hashed)
    return check_if_hashed


# Test 
password_validatation("my_password")

I am adding also the login script:

from PyQt5 import QtWidgets
# from mainwindow import Ui_MainWindow
from qtwidgets import PasswordEdit
from .password_generator import password_validatation

class Login(QtWidgets.QDialog):
    def __init__(self, parent=None):
        super(Login, self).__init__(parent)
        self.textName = QtWidgets.QLineEdit(self)
        self.textPass = PasswordEdit()
        self.buttonLogin = QtWidgets.QPushButton('Login', self)
        self.buttonLogin.clicked.connect(self.handleLogin)
        layout = QtWidgets.QVBoxLayout(self)
        layout.addWidget(self.textName)
        layout.addWidget(self.textPass)
        layout.addWidget(self.buttonLogin)

    def handleLogin(self):
        password = password_validatation(self.textPass.text())
        if (self.textName.text() == 'user_name' and
            self.textPass.text() == True):
            self.accept()
        else:
            QtWidgets.QMessageBox.warning(
                self, 'Error', 'Bad user or password!')

class Window(QtWidgets.QMainWindow):
    def __init__(self, parent=None):
        super(Window, self).__init__(parent)
        # self.ui = Ui_MainWindow()
        # self.ui.setupUi(self)

def main():
    import sys
    app = QtWidgets.QApplication(sys.argv)
    login = Login()

    if login.exec_() == QtWidgets.QDialog.Accepted:
        window = Window()
        window.show()
        sys.exit(app.exec_())


if __name__ == '__main__':
    main()
Improve this question

1 Answer 1

Reset to default
1

Passwords saved using keyring are already saved in the "safe storage" for passwords of your OS.

is it a good way to save the user password like this? is it safe?

Yes, it relies on the OS's own security mechanism.

how can i prevent someone with access to my code or my computer to just open the code and look on the password?

If someone has access to your session on your computer, they could access the safe storage with or without the code. Your code has no obvious security flaws, your security here is limited to your OS's session access at this point.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

and lets say when i'm done writing my code , I move it to my friend's computer , and one of the conditions for running the program is to enter with the user name and password i gave him. how can i prevent him for just open the source code, and change this function : def handleLogin(self): password = password_validatation(self.textPass.text()) if (self.textName.text() == 'user_name' and self.textPass.text() == True): self.accept() he could just change the usename and password here to whatever he wants , or remove the function.
You can't. By definition, if he has access to the source, he can do whatever he wants. If you have some sensitive data/processes, you might have to redesign your software to keep control of everything sensitive. Maybe it should be done on a separate server?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.