Passwords in MYSQL are not encrypted
P粉593536104
P粉593536104 2024-03-19 21:43:49
0
2
504

I'm currently trying to use bcrypt to encrypt/hash my seed passwords and store them in MYSQL, but it keeps giving me the same password. I'm using Python. Any help would be greatly appreciated!

user.py

from app.db import Base
from sqlalchemy.orm import validates
from sqlalchemy import Column, Integer, String
salt = bcrypt.gensalt()


class User(Base):
  __tablename__ = 'users'
  id = Column(Integer, primary_key=True)
  username = Column(String(50), nullable=False)
  email = Column(String(50), nullable=False, unique=True)
  password = Column(String(200), nullable=False)

  @validates('email')
  def validate_email(self, key, email):
    # make sure email address contains @ character
    assert '@' in email

    return email


@validates('password')
def validate_password(self, key, password):
  assert len(password) > 4

  # encrypt password
  return bcrypt.hashpw(password.encode('utf-8'), salt)

seed.py

from app.models import User
from app.db import Session, Base, engine

# drop and rebuild tables
Base.metadata.drop_all(engine)
Base.metadata.create_all(engine)

db = Session()

# insert users
db.add_all([
  User(username='alesmonde0', email='nwestnedge0@cbc.ca', password='password123'),
  User(username='jwilloughway1', email='rmebes1@sogou.com', password='password123'),
  User(username='iboddam2', email='cstoneman2@last.fm', password='password123'),
  User(username='dstanmer3', email='ihellier3@goo.ne.jp', password='password123'),
  User(username='djiri4', email='gmidgley4@weather.com', password='password123')
])

db.commit()

db.close()

P粉593536104
P粉593536104

reply all(2)
P粉710478990

You pass the same password and salt every time:

>>> salt = bcrypt.gensalt()
>>> bcrypt.hashpw('password123'.encode('utf-8'), salt)
b'$2b$12$L14/6UZsC4YymGUiQgBxCO5c6YoHEFDSM9ZSvBW0CgO9YkRUGkXwW'
>>> bcrypt.hashpw('password123'.encode('utf-8'), salt)
b'$2b$12$L14/6UZsC4YymGUiQgBxCO5c6YoHEFDSM9ZSvBW0CgO9YkRUGkXwW'

If you wish to produce different hashes with the same plaintext using bcrypt, regenerate the salt each time you generate a hash (as a best practice, you should do this):

>>> bcrypt.hashpw('password123'.encode('utf-8'), bcrypt.gensalt())
b'$2b$12$e1.vrDabeTDcqjqJ3Wj1fuapoGBgRaTjYNEn.v1WvuBbQLIsNlS3O'
>>> bcrypt.hashpw('password123'.encode('utf-8'), bcrypt.gensalt())
b'$2b$12$jqE4jMUeGfTLYixrR5iB0OAWSM/ZIEPiscX5fPLcxn8rOHqzJOUt6'
P粉807239416

Assumption:

  • You have copied the exact same code as in the original file
  • And "keep giving me the same password" means that what is saved in the database is the open text password, not the hash from the validator

If all of the above are correct, the problem is with authentication, i.e. the "validate_password" method is not in the User class at all. Try to identify it correctly and it should trigger and hash the password.

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template