如何使用Bcrypt加密Django中的密码 [英] How to use Bcrypt to encrypt passwords in Django
问题描述
我正在尝试使用Bcrypt来加密用户在注册时提供的密码,然后使用Bcrypt来验证用户在登录时提供的密码,以保存数据库中存储的散列版本。
有关如何通过Django安装Bcrypt的一些非常好的文档 docs ,但实际上并没有向您展示如何使用Bcrypt来填写密码或使用其他命令。
您需要从某个地方导入Brcrypt吗?如果是这样,它的正确语法是什么?哈希密码的语法是什么,并将散列密码与非散列密码进行比较?
我在settings.py文件中安装了Bcrypted库,并通过pip安装了Bcrypt。我还需要做什么才能使用Bcrypt?
在您的链接:
一个User对象的密码属性是一个以下格式的字符串:
< algorithm> $< iterations> $< salt> $< hash>这些组件使用
存储用户密码,由美元符号字符
分隔,由哈希算法,算法
迭代(工作因子),随机盐和生成的密码组成
哈希。该算法是Django可以使用的多种单向散列或密码
存储算法之一;见下文。迭代描述了算法在散列上运行的
次数。 Salt是随机使用的
种子,哈希是单向函数的结果。
我在settings.py文件中安装了Bcrypted库...
我还需要做什么来使用Bcrypt?
我不知道第一句话是什么意思。您需要将以下内容放在 settings.py 中:
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
使用Bcrypt验证用户在登录时提供的密码,
存储在数据库中的散列版本。
您可以手动执行此操作:
django.contrib.auth.hashers模块提供了一组函数到
创建和验证散列密码。
check_password(密码,编码)
如果您希望通过将明文密码与数据库中的散列
密码进行比较,使用便利函数
check_password()来手动验证用户。它需要两个参数:纯文本密码
检查,数据库
中的用户密码字段的完整值进行检查,如果匹配则返回True,否则为False。
https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#module-django.contrib.auth.hashers
或者,您可以使用 authenticate():
authenticate(**凭证)
要验证给定的用户名和密码,请使用authenticate()。它以
关键字参数的形式获取凭据,默认配置为username和
密码,如果密码对给定用户名的
有效,则返回User对象。如果密码无效,authenticate()返回
无。例如:从django.contrib.auth导入验证
user = authenticate(username ='john ',password ='password to check')
如果用户不是没有:
#为用户验证的密码
如果user.is_active:
print( 用户有效,活跃和认证)
else:
print(密码有效,但该帐户已被禁用!)
else:
#验证系统无法验证用户名和密码
print(用户名和密码不正确)
https: //docs.djangoproject.com/en/1.9/topics/auth/default/#authenticating-users
以下是一些示例:
(django186p34)〜/ django_projects / dj1 $ python manage.py shell
Python 3.4.3(v3.4.3 :9b73f1c3e6 01,Feb 23 2015,02:52:03)
[GCC 4.2.1(Apple Inc. build 5666)(dot 3)] on darwin
输入help,copyright,credits 或许可证获取更多信息。
(InteractiveConsole)
>>>从django.conf导入设置
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django。 contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib。 auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
'django.contrib.auth。 hashers.CryptPasswordHasher')
这些是默认值:我的settings.py中没有条目 PASSWORD_HASHERS 。
>>>来自django.contrib.auth.models import User
>>> my_user = User.objects.create_user('ea87','ea@gmail.com','666monkeysAndDogs777')
>>> my_user.save()
>>> my_user.password
'pbkdf2_sha256 $ 20000 $ L7uq6goI1HIl $ RYqywMgPywhhku / YqIxWKbpxODBeczfLm5zthHjNSSk ='
>>> my_user.username
'ea87'
>>>从django.contrib.auth导入验证
>>> authenticate(username ='ea87',password ='666monkeysAndDogs777')
< User:ea87>
>>> print(authenticate(username ='ea87',password ='wrong password'))
无
>>>来自django.contrib.auth.hashers import check_password
>>> check_password('666monkeysAndDogs777',my_user.password)
True
>>> exit()
接下来,我将以下内容添加到settings.py:
PASSWORD_HASHERS =(
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BryptPasswordHasher ',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher'
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
(django186p34)〜/ django_projects / dj1 $ python manage.py shell
Python 3.4.3(v3.4.3:9b73f1c3e601,2015年2月23日,02:52:03)
[GCC 4.2.1(Apple Inc. build 5666)(dot 3)]在darwin
有关更多信息,请输入help,copyright,credits或license。
(InteractiveConsole)
>>>从django.conf导入设置
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth。 ,
$ b'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers。 MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher')
请注意bcrypt hashers在元组的前面。
>>>来自django.contrib.auth.models import User
>>> user = User.objects.get(username ='ea87')
>>> user
< User:ea87>
>>> user.password
'pbkdf2_sha256 $ 20000 $ DS20ZOCWTBFN $ AFfzg3iC24Pkj5UtEu3O + J8KOVBQvaLVx43D0Wsr4PY ='
>>> user.set_password('666monkeysAndDogs777')
>>> user.password
'bcrypt_sha256 $$ 2b $ 12 $ QeWvpi7hQ8cPQBF0LzD4C.89R81AV4PxK0kjVXG73fkLoQxYBundW'
你可以看到密码已更改为bcrypt版本。
I am trying to use Bcrypt to encrypt passwords that users provide upon registration and then use Bcrypt to validate a password a user provides upon login against the hashed version stored in the database.
There is some pretty good documentation about how to install Bcrypt on via the Django docs, but they don't actually show you how to use Bcrypt to hash passwords or use other commands.
Do you need to import Brcrypt from somewhere? If so, what is the correct syntax for it? What is the syntax for hashing passwords and comparing hashed passwords against non-hashed passwords?
I installed the Bcrypted library in the settings.py file and also installed Bcrypt via pip. What else do I need to do to use Bcrypt?
At your link:
The password attribute of a User object is a string in this format:
<algorithm>$<iterations>$<salt>$<hash>Those are the components used for storing a User’s password, separated by the dollar-sign character and consist of: the hashing algorithm, the number of algorithm iterations (work factor), the random salt, and the resulting password hash. The algorithm is one of a number of one-way hashing or password storage algorithms Django can use; see below. Iterations describe the number of times the algorithm is run over the hash. Salt is the random seed used and the hash is the result of the one-way function.
I installed the Bcrypted library in the settings.py file... What else do I need to do to use Bcrypt?
I'm not sure what that first sentence means. You need to put the following in settings.py:
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
use Bcrypt to validate a password a user provides upon login against the hashed version stored in the database.
You can do that manually:
The django.contrib.auth.hashers module provides a set of functions to create and validate hashed password. You can use them independently from the User model.
check_password(password, encoded)
If you’d like to manually authenticate a user by comparing a plain-text password to the hashed password in the database, use the convenience function check_password(). It takes two arguments: the plain-text password to check, and the full value of a user’s password field in the database to check against, and returns True if they match, False otherwise.
https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#module-django.contrib.auth.hashers
Or, you can use authenticate():
authenticate(**credentials)
To authenticate a given username and password, use authenticate(). It takes credentials in the form of keyword arguments, for the default configuration this is username and password, and it returns a User object if the password is valid for the given username. If the password is invalid, authenticate() returns None. Example:from django.contrib.auth import authenticate user = authenticate(username='john', password='password to check') if user is not None: # the password verified for the user if user.is_active: print("User is valid, active and authenticated") else: print("The password is valid, but the account has been disabled!") else: # the authentication system was unable to verify the username and password print("The username and password were incorrect.")
https://docs.djangoproject.com/en/1.9/topics/auth/default/#authenticating-users
Here are some examples:
(django186p34)~/django_projects/dj1$ python manage.py shell
Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher')
Those are the defaults: there is no entry in my settings.py for PASSWORD_HASHERS.
>>> from django.contrib.auth.models import User
>>> my_user = User.objects.create_user('ea87', 'ea@gmail.com', '666monkeysAndDogs777')
>>> my_user.save()
>>> my_user.password
'pbkdf2_sha256$20000$L7uq6goI1HIl$RYqywMgPywhhku/YqIxWKbpxODBeczfLm5zthHjNSSk='
>>> my_user.username
'ea87'
>>> from django.contrib.auth import authenticate
>>> authenticate(username='ea87', password='666monkeysAndDogs777')
<User: ea87>
>>> print(authenticate(username='ea87', password='wrong password'))
None
>>> from django.contrib.auth.hashers import check_password
>>> check_password('666monkeysAndDogs777', my_user.password)
True
>>> exit()
Next, I added the following to settings.py:
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
(django186p34)~/django_projects/dj1$ python manage.py shell
Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher')
Note the bcrypt hashers at the front of the tuple.
>>> from django.contrib.auth.models import User
>>> user = User.objects.get(username='ea87')
>>> user
<User: ea87>
>>> user.password
'pbkdf2_sha256$20000$DS20ZOCWTBFN$AFfzg3iC24Pkj5UtEu3O+J8KOVBQvaLVx43D0Wsr4PY='
>>> user.set_password('666monkeysAndDogs777')
>>> user.password
'bcrypt_sha256$$2b$12$QeWvpi7hQ8cPQBF0LzD4C.89R81AV4PxK0kjVXG73fkLoQxYBundW'
You can see that the password has changed to a bcrypt version.
这篇关于如何使用Bcrypt加密Django中的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
