I assess myself as no security expert, but storing a plain text password in a database is surely a bad practice. If someone (probably hacker) gain access to your database, (s)he can easily read your users password. Without any hassle. In this article I will show how you can easily utilize python
md5 package to convert our users password into MD5 string and making curious hacker not that easy in reading it.
rahasia is Indonesian word for
How to Use Python MD5 Package
Let's begin by simply importing Python
md5 package, and introducing our new
1 2 3 4
import md5 def hash_string(string): salted_hash = string + application.config['SECRET_KEY'] return md5.new(salted_hash).hexdigest()
Pretty easy to understand, right? We just return an MD5 hash from string sent to
hash_string() method. But, before doing that we concatenate our
string argument with a salt which is our
application.config['SECRET_KEY']. The reason why we doing this, is because hash of the same string will result in the same hash too. Understanding this behavior, an attacker that somehow know our site using Hash method to store users password, can use brute-force attack in our site using dictionary of common password use in the internet. By concatenating our user password with our application secret key, will result in different set of MD5 string. Surely, this will make the attacker face a more difficult (still not impossible to solve) challenge.
Implementing it in Our Bio Application
Now that we already have a new
hash_string() method, we can use it to store our users password in MD5 string. Bringing a better security in our Bio Application in earlier post. It's quite trivial how we use this
hash_string() method : replace all occurrence that plainly store password with the result of
hash_string() method of that password. This also include comparison of password being fetched from the database.
For example, have a look on our
dbinit() method. When saving our default user, we simply use
password='rahasia'. Now that we have
hash_string() method, we must change
dbinit() as follows:
1 2 3 4 5 6 7 8
def dbinit(): db.drop_all() db.create_all() db.session.add(Users(username='ekowibowo', firstname='Eko', lastname='Suprapto Wibowo', password=hash_string('rahasia'), firstname.lastname@example.org', tagline='A cool coder and an even cooler Capoeirista', bio = 'I love Python very much!',
Have a look in your PostgreSQL
users table. You will find that our user password is now stored (more) securely.
Figure VIII-2 Our users password are secured (hopefully)
Figure VIII-2 above also shows that hash of the same string, will result on the same hash too.
We have to change our
signup() method by changing password entered by users in sign up form into its MD5 hash string.
1 2 3 4 5 6 7
def signup(): ... else: user.firstname = "Firstname" user.lastname = "Lastname" user.password = hash_string(user.password) ...
Lastly, another code that need to be change is also in the password comparison when we do sign in process of our users. Have a look at its snippet below!
1 2 3
... if user.password != hash_string(form.password.data): ...
user.password with its hash of password sent from sign in form, simply because we stored our user password as a result of MD5 hash function.
In this part of article series, we have use MD5 hash function provided by Python and utilize it to store our users password securely. The topic of application security is too broad and will need an expert in security system to explain it further. Here, I only show you one type of security that can directly implemented in you web application.
As always, application source code for this part can be downloaded from here : bio-part-8.zip.
And its live application can be tested here : http://bio-ekowibowo.rhcloud.com. Remember, it will always gives you latest application version.