diff --git a/README.md b/README.md index 12358ed..8acabb1 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,13 @@ # Secure Coding with Python. ## Chapter 3: Weak Password Storage -### Requirement -Now that we know our DB is working, it's time to start creating some users. We should have a signup account that create the user. - -### Development -We create a signup page, a user model and start taking in new users. +### Fix +In order to keep password secure and secret we need to encrypt them before saving. Since we know MD5 has been long broken, we are going to use SHA256. ### Vulnerability -Since we are not thoughtful on what we are doing, we are storing the passwords in plain text. Meaning anyone with access to our DB, or exploiting an SQL injection, as shown in previous chapter, can easily get any user password. +Even though we are storing passwords encrypted, our choice of algorithm allows an attacker to perform rainbow table attacks, given access to the password hashes. -**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.1-weak-password-storage/fix)** +**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.2-weak-password-storage/test)** ## Index ### 1. Vulnerable Components diff --git a/marketplace/models.py b/marketplace/models.py index 1161df4..c5b515f 100644 --- a/marketplace/models.py +++ b/marketplace/models.py @@ -1,3 +1,7 @@ +from hashlib import sha256 + +from sqlalchemy.ext.hybrid import hybrid_property + from . import db class User(db.Model): @@ -5,7 +9,15 @@ class User(db.Model): id = db.Column(db.Integer, primary_key=True) full_name = db.Column(db.String(100)) email = db.Column(db.String(100)) - password = db.Column(db.String(100)) + _password = db.Column('password', db.String(100)) + + @hybrid_property + def password(self): + return self._password + + @password.setter + def password(self, plaintext): + self._password = sha256(plaintext.encode('ascii')).hexdigest() class Listing(db.Model): __tablename__ = 'listings'