Storing a username and password, then allowing user update. Python

Question

I am trying to create a program that asks the user for, in this example, lets say a username and password, then store this (I assume in a text file). The area I am struggling with is how to allow the user to update this their password stored in the text file? I am writing this in Python.

_**Please** don't **ever** store passwords as plain text._ They need to be hashed and salted, ideally not by code you wrote. There are plenty of authentication libraries available. Anyway, I think you'll have a much less painful time if you use a database as, well, a database. They're designed to make adding data, looking up data, modifying data, and deleting data straightforward. SQLite is included with Python, and fairly easy to work with. — ChrisGPT was on strike, Sep 17 '17 at 19:23
Another "database" included with Python is [shelve](https://docs.python.org/3.6/library/shelve.html) which is even easier than SQLite. — Rory Daulton, Sep 17 '17 at 19:36
@Chris Simply "hashed and salted" is insufficient for a password validator. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Better yet use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt`, `passlib.hash` or similar functions. The point is to make the attacker spend a substantial of time finding passwords by brute force. — zaph, Sep 17 '17 at 20:11
@zaph, I know, which is why I pushed the OP towards libraries that provide abstractions over all of this. Most developers shouldn't ever be dealing with this stuff manually. I'm not sure how valuable it is to throw all of those details at a new developer in a comment, though I guess it might help to scare them away from trying to do this themselves. — ChrisGPT was on strike, Sep 17 '17 at 20:12
Yes, most developers should not be dealing with security—but they do. Professionals know their limits. In a non-similar fashion most doctors should not perform heart surgery—and they don't, they are professionals. — zaph, Sep 17 '17 at 20:17
@keyvanvafaee, with the right parameters Bcrypt is probably okay. It's important to use an adaptive algorithm, which usually means you can make calculating the hash more expensive by increasing the number of iterations. Bcrypt supports this. — ChrisGPT was on strike, Sep 17 '17 at 21:10

Sam Hartman · Answer 1 · 2017-09-20T15:26:48.973

Because you've asked to focus on how to handle the updates in a text file, I've focused on that part of your question. So, in effect I've focused on answering how would you go about having something that changes in a text file when those changes impact the length and structure of the text file. That question is independent of the thing in the text file being a password. There are significant concerns related to whether you should store a password, or whether you should store some quantity that can be used to verify a password. All that depends on what you're trying to do, what your security model is, and on what else your program needs to interact with. You've ruled all that out of scope for your question by asking us to focus on the text file update part of the problem.

You might adopt the following pattern to accomplish this task:

At the beginning see if the text file is present. Read it and if so assume you are doing an update rather than a new user
Ask for the username and password. If it is an update prompt with the old values and allow them to be changed
Write out the text file.

Most strategies for updating things stored in text files involve rewriting the text file entirely on every update.

score 0 · Answer 2 · answered Sep 17 '17 at 21:47

0

import getpass
import os
import bcrypt

new=None

def two_hash():

 master_key = getpass.getpass('enter pass word ')

 salt = bcrypt.gensalt()

 combo =  salt + master_key

 hashed = bcrypt.hashpw(combo , salt)

 allow = raw_input('do you want to update pass ')


 if allow == 'y':

  new =  getpass.getpass('enter old pass word ')

  combo = salt + new

  bcrypt.hashpw(combo , salt)

  if ( bcrypt.hashpw(combo , salt) == hashed ):

   new = getpass.getpass('enter new pass ')

   print  new


 else :
  pass


if __name__ == '__main__':
 two_hash()

Note 1 : i wanted to split my code to some function but i can't so help for split it to some function

answered Sep 17 '17 at 21:47

keyvan vafaee

464
4
15

@Chris check this i also want to separate some part of this code but i can't do this because (salt) will be changed in any function and i want to save it to file can you update my code and helping me to improve it – keyvan vafaee Sep 17 '17 at 21:51
This doesn't answer the question at all: it focuses on the password management rather than interacting with the text file. – Sam Hartman Sep 18 '17 at 19:26
@Sam Hartman Ok we can't and should not working with any text file it's not SECURE ! just as Chris said text is not secure and we have to store passwords in secure way – keyvan vafaee Sep 18 '17 at 21:28
Text files are no more or less secure than anything else. I've updated my answer to discuss the difference between verifiers and storing the password itself. Note that I can store an encrypted password or a verifier in a text file just like anything else. – Sam Hartman Sep 20 '17 at 15:22

score -2 · Answer 3 · answered Sep 17 '17 at 19:21

Is this a single user application that you have? If you can provide more information one where you're struggling

You can read the password file (which has usernames and passwords) - When user authenticate, match the username and password to the combination in text file - When user wants to change password, then user provides old and new password. The username and old password combination is compared to the one in text file and if matches, stores the new

Invision · Answer 4 · 2017-09-19T20:05:38.073

Try using JSON. An example of a json file would be this:

{
    "Usernames": {
        "Username": [
            {
                "Password": "Password123"
            }
        ]
    }
}

Then to edit the json:

jsonloads = json.loads(open('json.json').read()) #Load the json

username = input("Enter your username: ") #Get username as a string
for i in jsonloads["Usernames"]: #Iterate through usernames
    if i == username: #If the username is what they entered
        passw = input("New password: ") #Ask for new password
        jsonloads["Usernames"][i][0]["Password"] = passw #Set the password
        jsonFile = open("json.json", "w+") #Open the json
        jsonFile.write(json.dumps(jsonloads, indent=4)) #Write
        jsonFile.close() #Close it 
        break #Break out of the for loop
else: #If it remains unbroken
    print("You aren't in the database. ")
    user = input("Username: ") #Ask for username
    passw = input("Password: ") #Ask for password for username
    item = {"Password":pass} #Make a dict
    jsonloads["Usernames"].update({user: item}) #Add that dict to "Usernames"
    with open('json.json','w') as f: #Open the json
        f.write(json.dumps(jsonloads, indent=4)) #Write

Something like that should work, haven't tested it though.

Also, remember to always encrypt passwords!

Do not encrypt passwords, save a password verifier, see the answer comment to @Chris fr details. But your example code does save plain text passwords! — zaph, Sep 17 '17 at 20:08
Also, don't use a variable named `pass`. [`pass` is a keyword in Python](https://docs.python.org/3.7/reference/lexical_analysis.html#id8). — ChrisGPT was on strike, Sep 17 '17 at 20:16

Storing a username and password, then allowing user update. Python

4 Answers4