0

I have the following problem. I made a registration password for my site so that a user needs to know this password to be able to register. Also I would like a boolean value linked to it which would determine what kind of rights the user gets with this password.

class RegistrationPassword(models.Model):
    password = models.CharField(max_length=20, unique=True)
    poweruser = models.BooleanField(default=False)

    def __unicode__(self):
        return self.password

I register this with admin so that I can add and delete passwords and make the poweruser linked to them either true or false. Then when a user registers I check the boolean like this:

registrationpassword = form.cleaned_data.get('registrationpassword')
ispoweruser = RegistrationPassword.objects.get(password=registrationpassword).poweruser

Problem is the password is not hashed or encrypted in any way. How do I go about adding more security to my method?

leffe
  • 15
  • 6

3 Answers3

1

Also I would like a boolean value linked to it which would determine what kind of rights the user gets with this password

Don't. Use Groups. That's what they're for.

If this "power user" is not the superuser, then you need to define a group that has their extra privileges and put power users in this group.

Each of your view functions needs to confirm that the user is in the proper group to use the view function.

Now ispoweruser is a simple test against the group name, no extra password no extra boolean.

S.Lott
  • 384,516
  • 81
  • 508
  • 779
  • Worth reading: Django docs on [groups](https://docs.djangoproject.com/en/dev/topics/auth/#groups) and [custom permissions](https://docs.djangoproject.com/en/dev/topics/auth/#custom-permissions). – Mike DeSimone Jul 19 '11 at 12:48
0

Use auth app, and user.is_superuser. Don't reinvent a wheel.

DrTyrsa
  • 31,014
  • 7
  • 86
  • 86
  • Yes but how can I use say two different registration passwords. One of them making user.is_super= TRUE and the other one user_is_superuser= FALSE. The problem is not the permission assignment but the way I could use two different passwords to assign them in a particular group. – leffe Jul 19 '11 at 09:42
0

Problem is the password is not hashed or encrypted in any way. How do I go about adding more security to my method?

Most commonly passwords are hashed using SHA-x or MD-5 hashing algorithms. In such a case developers hash a password and store the hashed copy in the database or code. So there is no human readable copy anywhere.

To authenticate against this password you have to create a HASH of the user entered password and then compare it against the stored password.

If you are creating a web app the hashing can be done in javascript before submitting the webpage, this way a hashed password travels through the network, making it difficult for hackers to intercept and then "un-hash" them

Javascript hashing goes like following (assume we are using md5 and users password is "test")

  1. generate md 5 of "test" which is 098f6bcd4621d373cade4e832627b4f6 and store it in the db
  2. On the client side(javascript) retrieve the session-id
  3. let's say users enters "test" md5 it first so the result is 098f6bcd4621d373cade4e832627b4f6
  4. md5 it again with the session-id prepended (let's say session id here is 9985) so the new md5 is f93437292fca0cf9b71bf1f3fe6c4679
  5. send ONLY the hash to the server
  6. server can get the session id by using one of the library methods, for example in Java one can get the id by session.getId();

  7. run a query which is similar to the following

    select md5(concat(pwd,'9985')) as newpwd from users where uname='xyz'

  8. match "newpwd" with the user submitted value

If someone tries to post data through HTTP reply the authentication will not go through because the server creates new session id each time. So if a user logs out and logs back in a new hashed password is sent through the wire.

See the following links for your reference

Python's safest method to store and retrieve passwords from a database

What is the format in which Django passwords are stored in the database?

http://en.wikipedia.org/wiki/Salt_(cryptography)

Community
  • 1
  • 1
Sap
  • 5,197
  • 8
  • 59
  • 101
  • Hashing in javascript is very "secure". – DrTyrsa Jul 19 '11 at 08:33
  • You are right, we might expose what algorithm are we using for hashing. But I have seen at some places where the website uses javascript hashing with session id appended as salt. Because the salt is session-id itself one can't even do a replay attack on such websites. – Sap Jul 19 '11 at 09:02
  • So, if a "hacker" sniffs the traffic, he will know hash, salt and algorythm. Very, very nice. I also heard about [this thing](http://en.wikipedia.org/wiki/HTTP_Secure), but JS solution seems much more reliable to me, yes. – DrTyrsa Jul 19 '11 at 09:25
  • If you stop being sarcastic and start understanding the solution it will help. Tell me how will you break a password in given scenario even if you know the salt and the algorithm. The salt is never the same between two sessions. if you use intercepted salt and send it to the server it will never match because your salt is different then the one used at the server. – Sap Jul 19 '11 at 09:52
  • I believe that if someone make a recomendation he should really know the subject. Because bad advice is much worse than no advice. You recommend to use JS hashing to "make it difficult for hackers to intercept and then "un-hash"". Suppose, I'm hacker. I intercepted some traffic with: session_id (you need to transfer it somehow), hash. I can go to the webpage and see the algorythm. So I can start a brute-force and if password isn't very complicated (like most passwords) I will break it in reasonable time. This solution is very vulnerable and has no advantages over HTTPS. So, why to recomend it? – DrTyrsa Jul 19 '11 at 10:19
  • " I intercepted some traffic with: session_id..." You are right but that's the point, when you will try to brute force it you won't know what session id to use! Let me try explaining it in the answer section – Sap Jul 19 '11 at 11:23
  • After interception I will know that `md5(md5(x)+'9985') = f93437292fca0cf9b71bf1f3fe6c4679` It won't take much time to find `x` if it's not complicated (and usually it isn't). And no need to connect to server. – DrTyrsa Jul 19 '11 at 14:12
  • @DrTyrsa let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/1642/discussion-between-sapan-and-drtyrsa) – Sap Jul 20 '11 at 04:00