0

I am developing a social networking site and I have implemented basic functionalities like signup and login. I have used Basic HTML/CSS/JS for front end and Python (Flask) in the backend with Firebase DB. The problem is , I am able to access the database and I can see the password of all the registered users. Is there a secure way by which passwords can be stored so that Admins (Me) cannot misuse it?

Sarath
  • 163
  • 5
  • 14
  • 1
    https://medium.com/analytics-vidhya/password-hashing-pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e : basically you add a `salt` (a short random string to the password), run a hash function several thousand times over `salt + password`, store the `salt`and the hash result. there are standard ways to to this: PBKDF2, Scrypt, Bcrypt, argon2, ... – hiro protagonist Oct 27 '20 at 06:29
  • 1
    https://pypi.org/project/argon2-cffi/ or https://github.com/maxcountryman/flask-bcrypt or many others.,. – hiro protagonist Oct 27 '20 at 06:37
  • 1
    Securing passwords is hard. Consider using [Firebase authentication](https://firebase.google.com/docs/auth) instead. – Selcuk Oct 27 '20 at 06:38
  • @hiroprotagonist I generate a salt to the password and I run a hash function several times. After doing this, I store the salt and hashed password in my database. Now I have access to both the salt and hash value. So won't I be able to decrypt the same data? – Sarath Oct 27 '20 at 06:39
  • 1
    hash functions are **one-way** - they are designed such that it is computationally infeasible to go back (i.e. the best attack should be that you try to brute-force the input). repeating the hashing slows down this attack. hashing is not the same as encryption (where you want to be able to undo the operation). – hiro protagonist Oct 27 '20 at 06:41
  • @hiroprotagonist Thanks! I am relatively new to cryptography and cybersecurity . So I got confused between hashing algorithms and encryption algorithms. – Sarath Oct 27 '20 at 06:44
  • 2
    @hiroprotagonist I'd recommend passlib as a clearing house of secrets management, it's well documented, has excellent guides, has a rather good API, and has built-in support for upgrading hashing schemes online (though I don't think it has double-hashing support sadly) – Masklinn Oct 27 '20 at 07:00
  • 1
    https://security.stackexchange.com/q/211/86735 – kelalaka Oct 27 '20 at 07:44
  • 1
    @hiroprotagonist the actual boundry not exact. Actually, a hash function can be used for encryption. The CTR mode actually designed for PRF and we use it with PRP in AES-CTR and with FRF with ChaCha20. That is [long story](https://stackoverflow.com/a/64451775/1820553) or see here [the long message distinguisher](https://crypto.stackexchange.com/a/85572/18298) – kelalaka Oct 27 '20 at 09:21
  • 1
    @kelalaka yep. sure. but then you do not use the plaintext as input to the hash funciton - which is the case here. – hiro protagonist Oct 27 '20 at 09:23

1 Answers1

3

werkzeug takes care of this for you. Basically, the passwords are stored in their hashed form so all you'll see is a big bunch of random characters. In your models.py file add:

from werkzeug.security import generate_password_hash, check_password_hash

then wherever you set up your users table you set the password as "generate_password_hash". There's a more detailed example here.

nickvokey
  • 95
  • 1
  • 6