开发者

Creating a password with an extra booleanField

I have the following problem. I made a registration password for my site so that a user needs to know this password to be able to register. Also I would like a boolean value linked to it which would determine what kind of rights the user gets with this password.

class RegistrationPassword(models.Model):
    password = models.CharField(max_length=20, unique=True)
    poweruser = models.BooleanField(default=False)

    def __unicode__(self):
        return self.password

I register this with admin so that I can add and delete passwords and make the poweruser linked to them either true or false. Then when a user registers I check the boolean like this:

registrationpassword = form.cleaned_data.get('registrationpassword')
ispoweruser = RegistrationPassword.objects.get(password=registrationpassword).poweruser

Problem is the password is not hashed or encrypted in an开发者_如何学Goy way. How do I go about adding more security to my method?


Also I would like a boolean value linked to it which would determine what kind of rights the user gets with this password

Don't. Use Groups. That's what they're for.

If this "power user" is not the superuser, then you need to define a group that has their extra privileges and put power users in this group.

Each of your view functions needs to confirm that the user is in the proper group to use the view function.

Now ispoweruser is a simple test against the group name, no extra password no extra boolean.


Use auth app, and user.is_superuser. Don't reinvent a wheel.


Problem is the password is not hashed or encrypted in any way. How do I go about adding more security to my method?

Most commonly passwords are hashed using SHA-x or MD-5 hashing algorithms. In such a case developers hash a password and store the hashed copy in the database or code. So there is no human readable copy anywhere.

To authenticate against this password you have to create a HASH of the user entered password and then compare it against the stored password.

If you are creating a web app the hashing can be done in javascript before submitting the webpage, this way a hashed password travels through the network, making it difficult for hackers to intercept and then "un-hash" them

Javascript hashing goes like following (assume we are using md5 and users password is "test")

  1. generate md 5 of "test" which is 098f6bcd4621d373cade4e832627b4f6 and store it in the db
  2. On the client side(javascript) retrieve the session-id
  3. let's say users enters "test" md5 it first so the result is 098f6bcd4621d373cade4e832627b4f6
  4. md5 it again with the session-id prepended (let's say session id here is 9985) so the new md5 is f93437292fca0cf9b71bf1f3fe6c4679
  5. send ONLY the hash to the server
  6. server can get the session id by using one of the library methods, for example in Java one can get the id by session.getId();
  7. run a query which is similar to the following

    select md5(concat(pwd,'9985')) as newpwd from users where uname='xyz'

  8. match "newpwd" with the user submitted value

If someone tries to post data through HTTP reply the authentication will not go through because the server creates new session id each time. So if a user logs out and logs back in a new hashed password is sent through the wire.

See the following links for your reference

Python's safest method to store and retrieve passwords from a database

What is the format in which Django passwords are stored in the database?

http://en.wikipedia.org/wiki/Salt_(cryptography)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜