From 6bd7845b3d40f63707b5727dfa85ece584683b5f Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Mon, 22 Jul 2019 16:40:27 -0500 Subject: [PATCH 1/4] Encrypt the passwords before saving --- README.md | 3 +++ marketplace/users.py | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 078e7f2..865f8b4 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,9 @@ We create a signup page, a user model and start taking in new users. ### Vulnerability Since we are not thoughtful on what we are doing, we are storing the passwords in plain text. Meaning anyone with access to our DB, or exploiting an SQL injection, as shown in previous chapter, can easily get any user password. +### Fix +In order to keep password secure and secret we need to encrypt them before saving. Since we know MD5 has been long broken, we are going to use SHA256. + **Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.1-weak-password-storage/fix)** ## Index diff --git a/marketplace/users.py b/marketplace/users.py index 3d7e54f..4f1a7f1 100644 --- a/marketplace/users.py +++ b/marketplace/users.py @@ -1,3 +1,4 @@ +from hashlib import sha256 from flask import Blueprint, request, render_template from . import db @@ -11,7 +12,7 @@ def sign_up(): user = User( full_name=request.form['full_name'], email=request.form['email'], - password=request.form['password'], + password=sha256(request.form['password'].encode('ascii')).hexdigest(), ) db.session.add(user) db.session.commit() From 5b06174aa31b35c43ceda6328bfe650e192dd357 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Mon, 22 Jul 2019 16:41:04 -0500 Subject: [PATCH 2/4] Update next section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 865f8b4..8360a62 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Since we are not thoughtful on what we are doing, we are storing the passwords i ### Fix In order to keep password secure and secret we need to encrypt them before saving. Since we know MD5 has been long broken, we are going to use SHA256. -**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.1-weak-password-storage/fix)** +**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.2-weak-password-storage/test)** ## Index ### 1. Vulnerable Components From b33024257c3d4a3a1d9cf42ec011e4250895a6d2 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Sat, 3 Aug 2019 15:50:14 -0500 Subject: [PATCH 3/4] remove last step text --- README.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/README.md b/README.md index d8d2878..71d7564 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,6 @@ # Secure Coding with Python. ## Chapter 3: Weak Password Storage -### Requirement -Now that we know our DB is working, it's time to start creating some users. We should have a signup account that create the user. - -### Development -We create a signup page, a user model and start taking in new users. - -### Vulnerability -Since we are not thoughtful on what we are doing, we are storing the passwords in plain text. Meaning anyone with access to our DB, or exploiting an SQL injection, as shown in previous chapter, can easily get any user password. - ### Fix In order to keep password secure and secret we need to encrypt them before saving. Since we know MD5 has been long broken, we are going to use SHA256. From 6882a307a735525049c05d259b196f045d210a14 Mon Sep 17 00:00:00 2001 From: Nicolas Valcarcel Date: Thu, 8 Aug 2019 22:29:11 -0500 Subject: [PATCH 4/4] Store passwords encrypted, but not enough --- README.md | 3 +++ marketplace/models.py | 14 +++++++++++++- marketplace/users.py | 3 +-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 71d7564..9fb5651 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,9 @@ ### Fix In order to keep password secure and secret we need to encrypt them before saving. Since we know MD5 has been long broken, we are going to use SHA256. +### Vulnerability +Even though we are storing passwords encrypted, our choice of algorithm allows an attacker to perform rainbow table attacks, given access to the password hashes. + **Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.2-weak-password-storage/test)** ## Index diff --git a/marketplace/models.py b/marketplace/models.py index 1161df4..c5b515f 100644 --- a/marketplace/models.py +++ b/marketplace/models.py @@ -1,3 +1,7 @@ +from hashlib import sha256 + +from sqlalchemy.ext.hybrid import hybrid_property + from . import db class User(db.Model): @@ -5,7 +9,15 @@ class User(db.Model): id = db.Column(db.Integer, primary_key=True) full_name = db.Column(db.String(100)) email = db.Column(db.String(100)) - password = db.Column(db.String(100)) + _password = db.Column('password', db.String(100)) + + @hybrid_property + def password(self): + return self._password + + @password.setter + def password(self, plaintext): + self._password = sha256(plaintext.encode('ascii')).hexdigest() class Listing(db.Model): __tablename__ = 'listings' diff --git a/marketplace/users.py b/marketplace/users.py index 4f1a7f1..3d7e54f 100644 --- a/marketplace/users.py +++ b/marketplace/users.py @@ -1,4 +1,3 @@ -from hashlib import sha256 from flask import Blueprint, request, render_template from . import db @@ -12,7 +11,7 @@ def sign_up(): user = User( full_name=request.form['full_name'], email=request.form['email'], - password=sha256(request.form['password'].encode('ascii')).hexdigest(), + password=request.form['password'], ) db.session.add(user) db.session.commit()