For example:
username:zjm1126
password:11
I store the password to the datastore on gae. When I see the data view at /_ah/admin, I can see the password of all people that have registered.
Is it safe to do so? If not, how to store it properly?
And the check_password method is:
user=MyUser.get_by_key_name(self.request.get('username'))
if user.password == self.request.get('password'):
session['user.key']=str(user.key())
else:
raise Exception('error 404')
You should never store a password in plain text.
Use a ir-reversable data hashing algorithm, like sha or md5
Here is how you can create a hash in python:
from hashlib import sha256
from random import random
random_key = random()
sha256('%s%s%s'%('YOUR SECRET KEY',random_key,password))
You should also store the random key and hash the user supplied password similarly.
There is nothing app-engine specific or new about this question that hasn't been answered 10 times before on SO. Search Stack Overflow for store password and read the first 5 questions. That should give you a good foundation in the subject.
There are numerous posts on stackoverflow about how to use various algorithms to product the integrity of passwords. Algorithms you should look into are SHA-256/SHA-512 in conjunction with a long randomly generated salt (which would also be stored in the database) or bcrypt. I won't go into the discussion of why one is better than the other here because that discussion is already taking place in other questions.
