(Python) Password and Login

Discussion in 'Mac Programming' started by Nsutton, Apr 17, 2010.

  1. Nsutton macrumors member

    Nsutton

    Joined:
    Dec 29, 2009
    Location:
    6 Feet Under
    #1
    Code:
    user1='apples'
    passw='bacon'
    
    user2=raw_input("Username: ")
    password=raw_input("Enter Password: ")
    if user1==user2 and password==passw:
    	print "System Acessed..."
    else:
    	print "Error: Incorrect username or password."	
    I've seen other ways to do this. Is this code insecure?

    What are more efficient/better ways to make a python login?
     
  2. Cromulent macrumors 603

    Cromulent

    Joined:
    Oct 2, 2006
    Location:
    The Land of Hope and Glory
    #2
    Recheck this code. It does not do what you expect it to do.

    Edit: To answer the actual question, no it is not secure. You should hash and salt the password and store that. Then when you get user input you should hash and salt that in the same way and then compare the results.
     
  3. jpyc7 macrumors 6502

    Joined:
    Mar 8, 2009
    Location:
    Denver, CO
    #3
    Yes, it is insecure. If you gave someone your "pyc" file, then they could search for human-readable strings in it and probably guess the user and password.

    The typical way to prevent that is to use one-way hashing before a comparison of password.

    Assuming the main reason for writing your code is not to develop "login", I think you could use various python modules that could help with a more secure solution. We use LDAP at work, although I don't know if it encrypts anything.
     
  4. Nsutton thread starter macrumors member

    Nsutton

    Joined:
    Dec 29, 2009
    Location:
    6 Feet Under
    #4
    Oh because there all named the same...
    I fixd it.
     
  5. Nsutton thread starter macrumors member

    Nsutton

    Joined:
    Dec 29, 2009
    Location:
    6 Feet Under
  6. Cromulent macrumors 603

    Cromulent

    Joined:
    Oct 2, 2006
    Location:
    The Land of Hope and Glory
    #7
    Be aware though that a simple hash, especially an MD5 one, is not sufficient. You need to look into salts too.

    I suggest if you use a hash that you use SHA-256 at a minimum with SHA-512 being the best option.

    If you really are concerned with security though, no hashing method matches encrypting the password.
     
  7. lee1210 macrumors 68040

    lee1210

    Joined:
    Jan 10, 2005
    Location:
    Dallas, TX
    #8
    I don't disagree with what Cromulent said at all. We're moving hashes from MD5 to SHA-2, in fact. However, if the OP is just wanting to learn concepts, doing it this time with MD5 should be fine. Certainly they should be aware that this is not par for security right now, but if it serves to demonstrate the idea it can't hurt. Just don't build a new, production system with MD5.

    -Lee
     
  8. Nsutton thread starter macrumors member

    Nsutton

    Joined:
    Dec 29, 2009
    Location:
    6 Feet Under
    #9
    The whole point of making the login to just to learn how to create a login and the diffrent ways of hashing and encrypting.
     
  9. Nsutton thread starter macrumors member

    Nsutton

    Joined:
    Dec 29, 2009
    Location:
    6 Feet Under
    #10
    Code:
    #HASH 'N' EGGS
    import hashlib
    #Username Hash
    user = hashlib.md5()
    user.update("apples")
    user.digest
    #Password Hash
    pw = hashlib.md5()
    pw.update("bacon")
    pw.digest
    
    #User/Password Input
    user2=raw_input("Username: ")
    password=raw_input("Enter Password: ")
    if user2==user and password==pw:
    	print "System Acessed..."
    else:
    	print "Error: Incorrect username or password."
    The hashing seems to work for me but when you enter the correct username/password it doesn't accept it...I assuming i need to dehash it to enter a the dehashed user/pass. But How?
     
  10. changxii macrumors newbie

    Joined:
    Mar 17, 2009
    #11
    If you're looking for a good source to learn about cryptography/computer security check out these notes. Prof. Kak has basically made a free online textbook and updates it every semester. Chapter 15 deals with the different types of hashing described above.

    http://cobweb.ecn.purdue.edu/~kak/compsec/Lectures.html
     
  11. Mernak macrumors 6502

    Joined:
    Apr 9, 2006
    Location:
    Kirkland, WA
    #12
    The current problem with the hash is that while you are hashing the user/password to compare it to, you are not hashing the ones that are being input by the user, so right now the equals test will be something like
    Code:
    'apples'=='a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2'
    (I just chose a hash from the hashlib doc). I'll update this with some code in a bit, so you can see an example.

    EDIT:
    Code:
    #HASH 'N' EGGS
    import hashlib
    #Username Hash
    user = hashlib.md5("apples").digest()
    #Password Hash
    pw = hashlib.md5("bacon").digest()
    
    #User/Password Input
    user2=hashlib.md5(raw_input("Username: ")).digest()
    password=hashlib.md5(raw_input("Enter Password: ")).digest()
    if user2==user and password==pw:
    	print "System Acessed..."
    else:
    	print "Error: Incorrect username or password."
        
    #Just chose to make all the hashs one line, it easier for me to understand
    #Hashed the input directly for security reasons (no local variable for the unhashed info)
    #Usernames don't always need to be hashed, depending on how you want to access the system and what features you want to have.
    
     
  12. Nsutton thread starter macrumors member

    Nsutton

    Joined:
    Dec 29, 2009
    Location:
    6 Feet Under

Share This Page