使用来自用户数据库的Python凭据安全登录 [英] Secure login with Python credentials from user database
问题描述
我喜欢使用Python创建安全登录名,但是需要从数据库中检查用户表,以便多个用户可以使用自己的密码登录. 主要是这样,就像魅力一样,但是当然不能保证安全.
I like to create a secure login with Python but need to check the user table from a database, so that multiple users can log in with their own password. Mainly like this, works like a charm but not secured of course.
while True:
USER = input("User: ")
PASSWORD = getpass.getpass()
db = sqlite3.connect("test.db")
c = db.cursor()
login = c.execute("SELECT * from LOGIN WHERE USER = ? AND PASSWORD = ?", (USER, PASSWORD))
if (len(login.fetchall()) > 0):
print()
print("Welcome")
break
else:
print("Login Failed")
continue
因此,我尝试对密码进行哈希处理,当然也可以使用,但是后来我无法将其存储在数据库中以进行检查,因此根本就没有检查.
So then I tried hashing the password, work also of course, but then I can't store it on the database to check, so there is no check at all.
from passlib.hash import sha256_crypt
password = input("Password: ")
hash1 = sha256_crypt.encrypt( password )
hash2 = sha256_crypt.encrypt( password )
print(hash1)
print(hash2)
import getpass
from passlib.hash import sha256_crypt
passwd = getpass.getpass("Please enter the secret password: ")
if sha256_crypt.verify( passwd, hash ):
print("Everything worked!")
else:
print("Try again :(")
我这样尝试过,以便密码哈希将从数据库中获取,但没有成功:
I tried like this so that the password hash would be taken from the database but with no success:
USER = input("User: ")
db = sqlite3.connect("test.db")
c = db.cursor()
hash = "SELECT HASH FROM LOGIN WHERE USER = %s"%USER
print(hash)
passwd = getpass.getpass("Password: ")
if sha256_crypt.verify( passwd, hash ):
print("Everything worked!")
else:
print("Try again :(")
所以我的问题是,为程序创建安全登录名的最佳方法是什么?正如用户表中所述,我确实需要为不同的用户提供不同的登录名.我以前在MySQL上做过,但是出于测试目的,我现在尝试在sql3上做.所以没关系.只要我知道该如何处理.
So my question is, what is the best way to create a secure login for my program? And I do need different logins for different users as stated in the user table. I did it on MySQL before but for testing purpose I'm now trying on sql3. So that doesn't matter. As long as I know how to approach this.
推荐答案
真的,您应该完全避免自己这样做.有很多库可以正确实现这种身份验证.
Really you should avoid doing this yourself at all. There are plenty of libraries that correctly implement this kind of authentication.
不过,遵循的模式是这样的:
Nevertheless, the pattern to follow is like this:
- 根本不将普通密码存储在数据库中.创建用户帐户后,请立即对密码进行哈希处理并将其存储.
- 用户登录时,对输入的密码值进行哈希处理,然后将其与已经存储在数据库中的值进行比较.
(请注意,为了获得良好的安全性,您不仅需要使用现代的哈希算法,还应使用
(Note that for decent security, you not only need to use a modern hash algorithm but should also use a salt).
这篇关于使用来自用户数据库的Python凭据安全登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!