Flask Biography Tutorial Part VIII : Using Hash to Store Password Securely

 

Password stored in a plain text format... Oh Dear!
Figure VIII-1 Password stored in a plain text format... Oh Dear!

 

I assess myself as no security expert, but storing a plain text password in a database is surely a bad practice. If someone (probably hacker) gain access to your database, (s)he can easily read your users password. Without any hassle. In this article I will show how you can easily utilize python md5 package to convert our users password into MD5 string and making curious hacker not that easy in reading it.

NOTE : rahasia is Indonesian word for secret.

How to Use Python MD5 Package

Let's begin by simply importing Python md5 package, and introducing our new  hash_string() method.

1
2
3
4
import md5
def hash_string(string):
    salted_hash = string + application.config['SECRET_KEY']
    return md5.new(salted_hash).hexdigest()

Pretty easy to understand, right? We just return an MD5 hash from string sent to hash_string() method. But, before doing that we concatenate our string argument with a salt which is our application.config['SECRET_KEY']. The reason why we doing this, is because hash of the same string will result in the same hash too. Understanding this behavior, an attacker that somehow know our site using Hash method to store users password, can use brute-force attack in our site using dictionary of common password use in the internet. By concatenating our user password with our application secret key, will result in different set of MD5 string. Surely, this will make the attacker face a more difficult (still not impossible to solve) challenge.

Implementing it in Our Bio Application 

Now that we already have a new hash_string() method, we can use it to store our users password in MD5 string. Bringing a better security in our Bio Application in earlier post. It's quite trivial how we use this hash_string() method : replace all occurrence that plainly store password with the result of  hash_string() method of that password. This also include comparison of password being fetched from the database. 

For example, have a look on our dbinit() method. When saving our default user, we simply use password='rahasia'. Now that we have hash_string() method, we must change dbinit() as follows:

1
2
3
4
5
6
7
8
def dbinit():
    db.drop_all()
    db.create_all()
    db.session.add(Users(username='ekowibowo', firstname='Eko',
        lastname='Suprapto Wibowo',         password=hash_string('rahasia'),
        email='swdev.bali@gmail.com', 
        tagline='A cool coder and an even cooler Capoeirista', 
        bio = 'I love Python very much!',

Have a look in your PostgreSQL users table. You will find that our user password is now stored (more) securely.

Our users password are secured (hopefully)

Figure VIII-2 Our users password are secured (hopefully)

Figure VIII-2 above also shows that hash of the same string, will result on the same hash too. 

We have to change our signup() method by changing password entered by users in sign up form into its MD5 hash string.

1
2
3
4
5
6
7
def signup():
    ...
    else:
        user.firstname = "Firstname"
        user.lastname = "Lastname"
        user.password = hash_string(user.password)
        ...

Lastly, another code that need to be change is also in the password comparison when we do sign in process of our users. Have a look at its snippet below!

1
2
3
...
    if user.password != hash_string(form.password.data):
...

We compare user.password with its hash of password sent from sign in form, simply because we stored our user password as a result of MD5 hash function.

Conclusion

In this part of article series, we have use MD5 hash function provided by Python and utilize it to store our users password securely. The topic of application security is too broad and will need an expert in security system to explain it further. Here, I only show you one type of security that can directly implemented in you web application.

As always, application source code for this part can be downloaded from here : bio-part-8.zip.

And its live application can be tested here : http://bio-ekowibowo.rhcloud.com. Remember, it will always gives you latest application version.

Stay tuned!




Leave comments

authimage

Copyright(c) 2014 - PythonBlogs.com
By using this website, you signify your acceptance of Terms and Conditions and Privacy Policy
All rights reserved