32👍
As @mlissner suggested the auth.User model is a good place to look. If you check the source code you’ll see that the password field is a CharField.
password = models.CharField(_('password'), max_length=128, help_text=_("Use
'[algo]$[salt]$[hexdigest]' or use the <a href=\"password/\">change password form</a>."))
The User model also has a set_password method.
def set_password(self, raw_password):
import random
algo = 'sha1'
salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
hsh = get_hexdigest(algo, salt, raw_password)
self.password = '%s$%s$%s' % (algo, salt, hsh)
You can take some clues from this method about creating the password and saving it.
8👍
I don’t think you are ever going to be able to de-hash an encrypted password that was stored in a manner similar to the normal django User passwords. Part of the security is that they are un-de-hashable.
- [Django]-Can "list_display" in a Django ModelAdmin display attributes of ForeignKey fields?
- [Django]-How to use pdb.set_trace() in a Django unittest?
- [Django]-Should server IP address be in ALLOWED_HOSTS django setting?
5👍
Your best bet (I’m aware of) is to dig into the code in the django code, and see how it’s done there. As I recall, they generate a salted hash so that the plain text values are never stored anywhere, but rather the hash and salt are.
If you go into the django installation, and poke around for words like hash and salt, you should find it pretty quickly. Sorry for the vague answer, but perhaps it will set you on the right path.
- [Django]-How can I embed django csrf token straight into HTML?
- [Django]-Django models – how to filter number of ForeignKey objects
- [Django]-How to use custom AdminSite class?
5👍
Unfortunately there isn’t an easy answer to this question because it depends on the applications you are trying to authenticate against and it also depends on how secure you want the password fields to be.
If your Django application will be using the password to authenticate against another application that requires a plaintext password to be sent, then your options are:
- Store the password in plain text in your Django model (your question implies you don’t want to do this)
- Capture a master password from the user before they can unlock their stored password for other applications
- Obfuscate the password in the model so that it can be accessed by anyone with raw datastore permissions but just isn’t obvious to human casual viewers
You could use the Django user password as the master password if you are using Django’s builtin user model. This means that you will need to keep that master password in memory which may make some operations difficult for you, such as restarting the server or running load-balanced redundant servers.
Alternative to storing passwords
Luckily many modern applications support this in another way using an access token system which is key based rather than password based. Users are guided through the process of setting up a link between the two applications and, behind the scenes, the applications generate keys to authenticate each other either permanently or with a defined expiration date.
Facebook, for example, supports this model and they have extensive documentation about how it works:
Facebook Developers: Access Tokens and Types
Once you have managed to link with Facebook using [OAuth 2.0](http://tools.ietf.org/html/draft-ietf-oauth-v2- 12) you will probably find it easier to add links to other applications using that same protocol.
- [Django]-How to register users in Django REST framework?
- [Django]-What does "'tests' module incorrectly imported" mean?
- [Django]-Django rest framework – how do you flatten nested data?
3👍
If you need a reversible password field, you could use something like this:
from django.db import models
from django.core.exceptions import ValidationError
from django.conf import settings
from os import urandom
from base64 import b64encode, b64decode
from Crypto.Cipher import ARC4
from django import forms
PREFIX = u'\u2620'
class EncryptedCharField(models.CharField):
__metaclass__ = models.SubfieldBase
SALT_SIZE = 8
def __init__(self, *args, **kwargs):
self.widget = forms.TextInput
super(EncryptedCharField, self).__init__(*args, **kwargs)
def get_internal_type(self):
return 'TextField'
def to_python(self, value):
if not value:
return None
if isinstance(value, basestring):
if value.startswith(PREFIX):
return self.decrypt(value)
else:
return value
else:
raise ValidationError(u'Failed to encrypt %s.' % value)
def get_db_prep_value(self, value, connection, prepared=False):
return self.encrypt(value)
def value_to_string(self, instance):
encriptado = getattr(instance, self.name)
return self.decrypt(encriptado) if encriptado else None
@staticmethod
def encrypt(plaintext):
plaintext = unicode(plaintext)
salt = urandom(EncryptedCharField.SALT_SIZE)
arc4 = ARC4.new(salt + settings.SECRET_KEY)
plaintext = u"%3d%s%s" % (len(plaintext), plaintext, b64encode(urandom(256-len(plaintext))))
return PREFIX + u"%s$%s" % (b64encode(salt), b64encode(arc4.encrypt(plaintext.encode('utf-8-sig'))))
@staticmethod
def decrypt(ciphertext):
salt, ciphertext = map(b64decode, ciphertext[1:].split('$'))
arc4 = ARC4.new(salt + settings.SECRET_KEY)
plaintext = arc4.decrypt(ciphertext).decode('utf-8-sig')
return plaintext[3:3+int(plaintext[:3].strip())]
The encryption part is based on the snippet on https://djangosnippets.org/snippets/1330/, I just turned it into a field model, added utf-8 support and added a prefix as a workaround for Django’s silly use of to_python()
- [Django]-Serializer call is showing an TypeError: Object of type 'ListSerializer' is not JSON serializable?
- [Django]-How can I see the raw SQL queries Django is running?
- [Django]-Simple Log to File example for django 1.3+