There is a mystical aura around password creation. Some kind of occult knowledge reached only by the distant cryptographic hermits who ascended to nirvana after decades of meditation on the Patagonian glaciers and liters of instant coffee. In this article, we will try to translate a few drops of this ancient wisdom so that we, mere mortals, have secure accounts to store pictures of cats and e-books that we will never read. First of all, this article is recommended not only for novice programmers, but for users who want to know why the hell they need a humanly unpronounceable password. Requirements: If you are reading this article, I assume you are familiar with programming languages or, at least, with their logic. We will use Python 3 to create a user creation program as simply as possible. If you are a beginner, please read about data entry and exit before proceeding. In the beginning, God created a to-do list, and human beings, in his image and likeness, tend to copy this strategy. This is what we need to do: Save the user name; Ensure that his password is secure; Save the password securely; Rest on the seventh day; The Holy Name of the User [Don't forget it, please] There are no secrets here. Let the user be called the way they prefer, it is not our duty to judge him. Let's take the opportunity to get our basic class ready. The digital representation of God's : Ctrl + C/Ctrl + V self.username = user
        self.passwd = passwd
        self.salt = salt : class User : def __init__ (self, user, passwd, salt) Don't worry about "salt". We will talk about it soon. Is Your Password Worthy? I would love to talk about how a code of less than forty lines can generate millions of passwords per second, pull hidden words from the depths of your soul and test them with the same ease with which we procrastinate on Netflix or check our email. However, stick to what is strictly necessary. Let us leave the whys to the philosophers, drunks and beggars. <----------------------------------------------------------------------> Safety Practicality The stunningly beautiful hieroglyph above describes how advanced societies calculated the need for their passwords. They found that the security of a system is proportionally inverse to its practicality of use. That is, pulling the coal to our sardine, the more secure a password is, the more complex it will be. [found in the gold halls of Eldorado, South America] In our study, we will arbitrarily decide that a decent password needs: At least six characters; At least six digits; At least two special characters; Which leaves us with fourteen characters minimum; Let's create the method that will receive the password and check the level of dignity : (For the sake of simplicity, we are not distinguishing between uppercase and lowercase characters.) : len(passwd) < :
                print( ) counter = i passwd: i self.passwd_characteres:
                    counter += counter < :
                print( ) counter = i passwd: i self.passwd_numbers:
                    counter += counter < :
                print( ) counter = i passwd: i self.passwd_special:
                    counter += counter < :
                print( ) : def check_passwd (self, passwd) """ Check if is a valid password """ while True # Check Size if 14 "This password is too short." break # Check Ascii Letters 0 for in if in 1 if 6 "Your password need at last six (6) characteres." break # Check Digits 0 for in if in 1 if 6 "Your password need at last six (6) digits." break # Check Special Characteres 0 for in if in 1 if 2 "Your password need at last two (2) special characteres." break # The password has passed! return True You may have noticed that this method belongs to a class. We created a manager to test these functions. We are only discussing the main functions, the complete code will be available at the end. The Password Seems Worthy. And now? is exactly the word. Nothing prevents the user from typing or , or anything like that. We are taking on the role of enlightened beings and therefore do not trust the user. If his password is weak it is our system that will be insecure, not just his data. Damn users! Fortunately, in , there is a secret called : "Seems" aaaaaa000000 ** @abcedf123456@ Python secrets secrets import Everything you need to know about it is . (#ReadtheDocs) Let's get straight to the point. That's where our comes in. is a pinch, a little thing that we add to the user's password to ensure it is secure. We can generate it automatically using the secrets module. It provides several types of tokens, particularly I prefer this one: here "salt" "Salt" secrets.token_urlsafe( ) # 32 is the number of bytes of the text to be generated. 32 You can add the salt at the beginning, in the middle or at the end of the password. Here, we will use the end and the password will end more or less like this: "aaaaaa*000000*ALE_tEwJXs87D-yfgU-D7DWbASX5g_D-oENWUIBi1q8" If someone can figure this out through trial and error, please give him all of your other passwords. He deserves it for the effort. Are we done? There is an Episode Waiting for Me. No. Bring the mouse pointer back and read. Now we have a reasonably secure password, how should we save it? It's time to activate the last trap card in the article: you must know something about before continuing. If you don't know, roll the dice with disadvantage and try again later. There are a few reasons why you should encrypt a password before saving it. hashes The most important is that if an attacker has access to the database, he will not have the passwords available immediately. Therefore, even if a large part is compromised, he will not be able to access the accounts and their respective data. Finally, let's turn the potentially suspicious password into a nightmare for spy decoders: worthy_password = hashlib.sha256((password + salt).encode()).hexdigest() Stay strong, life won't wait for you. We are finishing. In the end, God made another list. One about the completed tasks. He (or us) had a username, a for this user and an encrypted password. We saved this separately, as the class allowed us. We saved the salt so that, in an attempt to login, we add it to the password entered exactly as we did at creation and check if the hashes are identical. If they are, the password is correct and we will have no complications for the next few minutes. Or until the user forgets the password again, whichever comes first. "salt" User So, we're done. Now we understand, now we get it. Now all the pieces fit together and we feel stupid for not having noticed before how the gears turn and the world rotates. Below is the complete code, organized in a manager ready to be tested. For more drops of Patagonian wisdom - or excerpts of guessing - access the on . Prometheus Prototype Telegram hashlib secrets string self.username = user
        self.passwd = passwd
        self.salt = salt self.users = []
        self.passwd_characteres = string.ascii_letters
        self.passwd_numbers = string.digits
        self.passwd_special = string.punctuation input( ) input( ) user self.users: user.username == new_username:
                print( ) : len(passwd) < :
                print( ) counter = i passwd: i self.passwd_characteres:
                    counter += counter < :
                print( ) counter = i passwd: i self.passwd_numbers:
                    counter += counter < :
                print( ) counter = i passwd: i self.passwd_special:
                    counter += counter < :
                print( ) salt = secrets.token_urlsafe( )
        encripted_passwd = hashlib.sha256((passwd + salt).encode()).hexdigest() (encripted_passwd, salt) :
            user = input( ) self.check_username(user): :
            passwd = input( ) self.check_passwd(passwd):
                pass_pack = self.protect_passwd(passwd) new_user = User(user, pass_pack[ ], pass_pack[ ])
        self.users.append(new_user)
        print( ) manager = Manager()
manager.create_new_user() print( )
print( + manager.users[ ].username)
print( + manager.users[ ].passwd)
print( + manager.users[ ].salt)
print( )
input( ) # ================================================================== # # The **basics** of how to save a reasonably secure username and # password. # ================================================================== # #  DEPENDENCIES # ================================================================== # import import import # ================================================================== # #  USER CLASS # ================================================================== # : class User : def __init__ (self, user, passwd, salt) # ================================================================== # #  MANAGER CLASS # ================================================================== # : class Manager : def __init__ (self) : def input_username (self) """ Gets the Username """ return "Enter your user name: " : def input_passwd (self) """ Gets the Password """ return "Enter your user name: " : def check_username (self, new_username) """ Check if is a valid Username """ for in if "This username already exists." return True return False : def check_passwd (self, passwd) """ Check if is a valid password """ while True # Check Size if 14 "This password is too short." break # Check Ascii Letters 0 for in if in 1 if 6 "Your password need at last six (6) characteres." break # Check Digits 0 for in if in 1 if 6 "Your password need at last six (6) digits." break # Check Special Characteres 0 for in if in 1 if 2 "Your password need at last two (2) special characteres." break # The password has passed! return True : def protect_passwd (self, passwd) """ Encrypt the password before save it. """ 32 return : def create_new_user (self) """ Create a new user. """ while True "Type your username: " if not break while True "Type your password: " if break # Well done! 0 1 "\nWellcome to this database!" # ================================================================== # # We're done here. To load the user safely, simply add the 'salt' # saved in the profile to the password entered at the time of login. # ================================================================== # # TESTING: # Let's see: "\n" "User name: " 0 "Saved password: " 0 "This-user salt: " 0 "\n" "Press anything to quit."

Netflix

The Prometheus Prototype

Read My Stories

Too Long; Didn't Read

Making security fun one episode at a time

Saving Passwords with Relative Security [A Guide for Dummies]

Too Long; Didn't Read

Company Mentioned

wbk#!$4

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Saving Passwords with Relative Security [A Guide for Dummies]

Too Long; Didn't Read

Company Mentioned

wbk#!$4

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES