Reputation: 15
Creating a password with an extra booleanField
I have the following problem. I made a registration password for my site so that a user needs to know this password to be able to register. Also I would like a boolean value linked to it which would determine what kind of rights the user gets with this password.
class RegistrationPassword(models.Model):
password = models.CharField(max_length=20, unique=True)
poweruser = models.BooleanField(default=False)
def __unicode__(self):
return self.password
I register this with admin so that I can add and delete passwords and make the poweruser linked to them either true or false. Then when a user registers I check the boolean like this:
registrationpassword = form.cleaned_data.get('registrationpassword')
ispoweruser = RegistrationPassword.objects.get(password=registrationpassword).poweruser
Problem is the password is not hashed or encrypted in any way. How do I go about adding more security to my method?
Upvotes: 0
Views: 165
Answers (3)
Reputation: 5291
Problem is the password is not hashed or encrypted in any way. How do I go about adding more security to my method?
Most commonly passwords are hashed using SHA-x or MD-5 hashing algorithms. In such a case developers hash a password and store the hashed copy in the database or code. So there is no human readable copy anywhere.
To authenticate against this password you have to create a HASH of the user entered password and then compare it against the stored password.
If you are creating a web app the hashing can be done in javascript before submitting the webpage, this way a hashed password travels through the network, making it difficult for hackers to intercept and then "un-hash" them
Javascript hashing goes like following (assume we are using md5 and users password is "test")
- generate md 5 of "test" which is 098f6bcd4621d373cade4e832627b4f6 and store it in the db
- On the client side(javascript) retrieve the session-id
- let's say users enters "test" md5 it first so the result is 098f6bcd4621d373cade4e832627b4f6
- md5 it again with the session-id prepended (let's say session id here is 9985) so the new md5 is f93437292fca0cf9b71bf1f3fe6c4679
- send ONLY the hash to the server
- server can get the session id by using one of the library methods, for example in Java one can get the id by session.getId();
run a query which is similar to the following
select md5(concat(pwd,'9985')) as newpwd from users where uname='xyz'
- match "newpwd" with the user submitted value
If someone tries to post data through HTTP reply the authentication will not go through because the server creates new session id each time. So if a user logs out and logs back in a new hashed password is sent through the wire.
See the following links for your reference
Python's safest method to store and retrieve passwords from a database
What is the format in which Django passwords are stored in the database?
http://en.wikipedia.org/wiki/Salt_(cryptography)
Upvotes: 0
Reputation: 391846
Also I would like a boolean value linked to it which would determine what kind of rights the user gets with this password
Don't. Use Groups. That's what they're for.
If this "power user" is not the superuser, then you need to define a group that has their extra privileges and put power users in this group.
Each of your view functions needs to confirm that the user is in the proper group to use the view function.
Now ispoweruser is a simple test against the group name, no extra password no extra boolean.
Upvotes: 1
Related Questions
- python password generator for django
- How to create Password Field in Model Django
- How to create password input field in django
- Manual Password with hiding password field Django
- How to create a password field for a user model in Django?
- How to put conditions in the password field?
- Django - Adding password validations in a ModelForm
- Password field in Django model
- what field should I use for password?
- PasswordField in Django model?