hashed password never desalts

Question

I'm using the flask micro-framework and setting up authentication manually using a msyql backend.

My sql script is storing hashed passwords in this data type: VARCHAR(50), after it is being generated by the generate_password_hash function:

  `Password` VARCHAR(50) NOT NULL ,

VARCAHR(50) is more than enough I thought...

These are the following libraries I am using:

from werkzeug import check_password_hash, generate_password_hash


@app.route('/login/', methods=['GET', 'POST'])
def login():
    """Logs the user in."""
    if g.user: return redirect(url_for('main'))
    error = None
    if request.method == 'POST':
        sql = "select password, userid from users where username = " + stringify(request.form['username'])
        cursor = g.db.cursor()
        cursor.execute(sql)
        user = cursor.fetchall()
        user = user[0]
        password = user[0]
        userid = user[1]
        if user is None:
            error = 'Invalid username'
        elif not check_password_hash(password, request.form['password']):
            error = 'Invalid password'
        else:
            flash('You were logged in')
            session['userid'] = userid
            return redirect(url_for('main'))
    return render_template('login.html', error=error)

So this is the problem:

elif not check_password_hash(password, request.form['password']):

Always returns false.

UPDATE: I get this on register:

Users/Dave/Websites/fh/app.py:143: Warning: Data truncated for column 'Password' at row 1
  g.db.cursor().execute("insert into users (username, email, password) values (%s, %s, %s)" % (username, email, password,))

I think I figured it out. I set the datatype to VARCHAR(160) and no more truncation. — The Internet, Nov 16 '12 at 07:00
Please consider using parameterizes queries instead of doing string concatenaion with "+stringify(...). See http://docs.python.org/2/library/sqlite3.html (the 4. green box from the top) — sleeplessnerd, Nov 16 '12 at 18:50
@Dave, it produces the same result *as long as you're using clean input*. Get in the habit of using parameterized queries or someday you'll find yourself the victim of an SQL injection. — Mark Ransom, Nov 16 '12 at 19:09
@sleeplessnerd *how* do parameterized queries remedy sql injection attacks? — The Internet, Nov 16 '12 at 22:55
@dave: they are (among other concerns) designed exactly for that purpose. — sleeplessnerd, Nov 18 '12 at 02:13

score 6 · Accepted Answer · answered Nov 16 '12 at 18:41

6

You do not really need 160 characters.

>>> from werkzeug.security import generate_password_hash
>>> generate_password_hash("test")
'sha1$lYmusy7y$8fc97f79a9809ab4eaee4de08d1e182d04f3dc07'
>>> len(generate_password_hash("test"))
54

are enough with the default hash algorithm sha1.

See here how this is generated: http://werkzeug.pocoo.org/docs/utils/#werkzeug.security.generate_password_hash

You use awkward terminology: "desalts" - With this method nothing is ever decrypted in any way.

Please read a little about how this all works, you are responsible for the security of your users.

answered Nov 16 '12 at 18:41

sleeplessnerd

21,853
1
25
29

1

http://en.wikipedia.org/wiki/Salt_(cryptography) http://en.wikipedia.org/wiki/Cryptographic_hash_function http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html http://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site <-(security subsection) – sleeplessnerd Nov 16 '12 at 19:06

score 0 · Answer 2 · answered Nov 16 '12 at 07:00

0

Set the datatype in mysql to Password VARCHAR(160) NOT NULL

answered Nov 16 '12 at 07:00

The Internet

7,959
10
54
89

hashed password never desalts

2 Answers2