Reputation: 43
Why is it bad practice to create your own user class in django/python for managing users information?
Why is it regarded as bad practice to create your own user class in django as opposed to using the django built in user functions?
P.S The user class I want to create contains fields for their email, passwords(hashed integers), names and user type. The passwords were hashed using pythons hash() method.
hash(password_string);
Upvotes: 1
Views: 89
Answers (1)
Reputation: 53699
Using your own User class is fully supported and even encouraged by some, including me. It allows all kinds of customizations, such as using email as a username, providing a user type, or pretty much anything you can think of.
Providing your own authentication mechanism, whilst supported, is strongly discouraged if you don't have experience with security. You should build on the years and years of experience that have been put into Django's authentication mechanisms and the hashing functions used by Django, and rely on the constant watchful eye of the community looking out for security vulnerabilities.
As for storing the password using the built-in hash(password_string)? You're almost better of storing your passwords in plain-text. The built-in hash() function is designed for speed. It is not cryptographically secure, and it is incredibly quick. What does that mean? The first means that collisions are not evenly distributed. Some hashed values occur more than others, meaning that some passwords are inherently weaker and will compare equal to other passwords. The second means that an attacker who gets a hold of the passwords in your database can simply brute-force the values. You're using a single iteration, which means that the attacker can literally try billions of passwords each second. You're not using a salt, which makes the list of passwords suspect to parallelism and rainbow tables. Not to mention that, in Python 3, the hash() function is seeded with a random value, and each new Python process will produce a different hash for the same password, i.e. the passwords will only be valid for that particular Python process, until it is restarted.
That's just the tip of the iceberg.
So feel free to roll your own User class, use whatever you like as the username, provide whatever additional attributes you'd like, but please, please, please use Django's default authentication mechanisms for everyone's sake.
Upvotes: 6
Related Questions
- Django - Why should I extend User as opposed to creating my one user class
- Django best practices regarding custom User models
- Django Custom User Model Best Practice: User = get_user_model()?
- Should my custom User model be an abstract class?
- When to use the Custom User Model in Django 1.5
- django user table - is it better to create custom one?
- django user model - when do i need it?
- Understanding User class in django
- Django - alternative to subclassing User?
- does custom user class break applications in django?