Python密码保护 [英] Python Password Protection
问题描述
我是一个初学者,所以如果这个问题听起来很愚蠢,请多多包涵.
我想知道,当我们在python中编写用于用户名/密码检查的代码时,如果未将其编译为exe ie script state,人们会不会轻易打开文件并删除进行密码检查的代码部分?
我假设整个程序完全用python编写,没有用C或C++编写.
即使我使用像py2exe这样的程序,也可以很容易地将其反编译为源代码.那么,这是否意味着进行密码检查毫无用处?
专业程序员如何应对?
您修改后的问题明确表明,您担心有人在编辑代码以绕过密码检查.是的,那是完全有可能的.您可以以.pyc格式交付代码,但这不一定会阻止某人对它进行反编译和更改.不幸的是,Python并不是为了防止代码更改而设计的.您能做的最好的事情就是用安全的服务器执行某种身份验证事务,这样,无论有人如何更改代码,他们都无法绕过该步骤.根据您的确切应用,这可能会适得其反.
如何管理密码身份验证问题是一个棘手的安全性问题,人们在整个职业生涯中都会花很多时间.但是,这是有关此的一些信息,它们假定您试图从头开始进行自己的密码验证:
即使是为了保护临时密码,通常也不会以明文形式存储用户密码.取而代之的是,通常使用可靠的单向哈希函数来创建与密码不同的位模式.输入密码后,将应用相同的哈希函数并比较位模式.如果它们相同,则很可能输入正确的密码.
什么构成可靠的"哈希函数是棘手的.几个是常用的,而一些常见的哈希函数容易受到已知漏洞的攻击.</p>
Noelkd提供了一些代码来演示这种方法,尽管(我相信)他的代码使用的MD5在某种程度上受到了损害,以至于存在更好的选择.本文还提供了一些执行类似操作的代码:
如果您担心要存储要以纯文本格式传递给SQLite数据库的实际密码,那就是另一个问题.在大多数情况下,我已经看到这样的密码以明文形式存储在脚本或配置文件中,并且该应用程序的结构使得妥协该密码的风险不高.
I am a beginner so if this question sounds stupid, please bear with me.
I am wondering that when we write code for username/password check in python, if it is not compiled to exe ie script state, won't people will easily open the file and remove the code potion that is doing the password check?
I am assuming that the whole program is entirely written in python, no C or C++.
Even if I use a program like py2exe it can be easily decompiled back to source code. So, does that mean it is useless to do a password check?
How do professional programmers cope with that?
Edit: Your revised question makes clear that you're concerned about people editing the code to bypass a password check. Yes, that is quite possible. You can deliver your code in .pyc form, but that won't necessarily prevent someone from decompiling and altering it. Unfortunately, Python's just not designed to prevent code alteration. The best you can do is perform some kind of authentication transaction with a secure server, so that no matter how someone alters the code, they can't bypass that step. Depending on your exact application, that might be overkill.
The problem of how to manage password authentication is a tricky security problem on which people spend entire careers. However, here's some information about it, that assumes that you're trying to roll your own password authentication from scratch:
Even for casual password protection, as a general rule, user passwords are not stored in a plaintext form. Instead, usually a reliable one-way hash function is used to create a bit pattern that doesn't resemble the password. When a password is entered, the same hash function is applied and the bit patterns are compared. If they're the same, the likelihood is quite high that the password was entered correctly.
What constitutes a "reliable" hash function is tricky. Several are in common use, and some of the common hash functions are susceptible to known exploits.
Noelkd provides some code that demonstrates this approach, although MD5, which his code uses, is (I believe) one that's been compromised to an extent that there are better choices out there. This article also offers some code to do something similar:
Authentication of Users and Passwords in Python
If your concern is storing the actual password that you have to pass to the SQLite database in plaintext, that's a different problem. Most of the time, I've seen such passwords stored in plaintext in either scripts or a configuration file, and the application is structured in such a way that compromising that password is a matter of modest risk.
这篇关于Python密码保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
