macOS (Python) Password and Login

[Nsutton]

user1='apples'
passw='bacon'

user2=raw_input("Username: ")
password=raw_input("Enter Password: ")
if user1==user2 and password==passw:
	print "System Acessed..."
else:
	print "Error: Incorrect username or password."

I've seen other ways to do this. Is this code insecure?

What are more efficient/better ways to make a python login?

 

[Cromulent]

user='apples'

...

user=raw_input("Username: ")

...

if user==user

Recheck this code. It does not do what you expect it to do.

Edit: To answer the actual question, no it is not secure. You should hash and salt the password and store that. Then when you get user input you should hash and salt that in the same way and then compare the results.

 

[jpyc7]

Yes, it is insecure. If you gave someone your "pyc" file, then they could search for human-readable strings in it and probably guess the user and password.

The typical way to prevent that is to use one-way hashing before a comparison of password.

Assuming the main reason for writing your code is not to develop "login", I think you could use various python modules that could help with a more secure solution. We use LDAP at work, although I don't know if it encrypts anything.

 

[Nsutton]

Oh because there all named the same...
I fixd it.

 

[Nsutton]

is hashing hard? ima noob :3

 

[AlmostThere]

No

 

[Cromulent]

No

Be aware though that a simple hash, especially an MD5 one, is not sufficient. You need to look into salts too.

I suggest if you use a hash that you use SHA-256 at a minimum with SHA-512 being the best option.

If you really are concerned with security though, no hashing method matches encrypting the password.

 

[lee1210]

I don't disagree with what Cromulent said at all. We're moving hashes from MD5 to SHA-2, in fact. However, if the OP is just wanting to learn concepts, doing it this time with MD5 should be fine. Certainly they should be aware that this is not par for security right now, but if it serves to demonstrate the idea it can't hurt. Just don't build a new, production system with MD5.

-Lee

 

[Nsutton]

The whole point of making the login to just to learn how to create a login and the diffrent ways of hashing and encrypting.

 

[Nsutton]

#HASH 'N' EGGS
import hashlib
#Username Hash
user = hashlib.md5()
user.update("apples")
user.digest
#Password Hash
pw = hashlib.md5()
pw.update("bacon")
pw.digest

#User/Password Input
user2=raw_input("Username: ")
password=raw_input("Enter Password: ")
if user2==user and password==pw:
	print "System Acessed..."
else:
	print "Error: Incorrect username or password."

The hashing seems to work for me but when you enter the correct username/password it doesn't accept it...I assuming i need to dehash it to enter a the dehashed user/pass. But How?

 

[changxii]

The whole point of making the login to just to learn how to create a login and the diffrent ways of hashing and encrypting.

If you're looking for a good source to learn about cryptography/computer security check out these notes. Prof. Kak has basically made a free online textbook and updates it every semester. Chapter 15 deals with the different types of hashing described above.

http://cobweb.ecn.purdue.edu/~kak/compsec/Lectures.html

 

[Mernak]

The current problem with the hash is that while you are hashing the user/password to compare it to, you are not hashing the ones that are being input by the user, so right now the equals test will be something like

'apples'=='a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2'

(I just chose a hash from the hashlib doc). I'll update this with some code in a bit, so you can see an example.

EDIT:

#HASH 'N' EGGS
import hashlib
#Username Hash
user = hashlib.md5("apples").digest()
#Password Hash
pw = hashlib.md5("bacon").digest()

#User/Password Input
user2=hashlib.md5(raw_input("Username: ")).digest()
password=hashlib.md5(raw_input("Enter Password: ")).digest()
if user2==user and password==pw:
	print "System Acessed..."
else:
	print "Error: Incorrect username or password."
    
#Just chose to make all the hashs one line, it easier for me to understand
#Hashed the input directly for security reasons (no local variable for the unhashed info)
#Usernames don't always need to be hashed, depending on how you want to access the system and what features you want to have.

 

[Nsutton]

Thanks so much Mernak. I get it know.