Swizec Teller - a geek with a hatswizec.com

    Small trick for seamless base64 password storage in django

    • OAuth logo

      Image via Wikipedia

    These days even the noobiest of the noobs know that passwords should never be stored in plain-tect on the server. For various good and bad reasons, but the gist of it is security through obscurity.

    What a few less people know is that base64 is the same as plaintext. Not only is it a very simple two way hashing function, if it can be called that, it's certainly not encryption, what's worse is that any coder worth their salt can recognise base64 encoding at a glance. Decoding it is trivial, many tools online can do it.

    On top of all of that, django already stores its user's passwords very securily with one-way hashing AND salting.

    So what the fuck am I doing trying to save passwords in base64?

    Problem

    The reason is in fact quite simple: External API's.

    Here's the problem: what do you do when your service is accessing a third party API, which doesn't support OAuth or OAuth is impractical in your situation for various reasons and the API doesn't support some other means of logging in with a hashed password. Basically, the only way you can access this API is if you know the user's password?

    The obvious solution is to fuck it and store plain-text passwords. Nothing you can do right? Hopefully nobody will hack your database and get to the passwords.

    Sure. But what when you're browsing around for debugging purposes? How do you prevent yourself from accidentally reading someone's password?

    Solution

    That's where base64 comes in.

    But since we don't want to make our code silly, here's a simple way of achieving this without ever having to worry about it again.

    class PasswordManager(models.Manager):
    use_for_related_fields = True
    def create(self, *args, **kwargs):
    try:
    kwargs['password'] = base64.encodestring(kwargs['password'])
    except KeyError:
    pass
    return super(PasswordManager, self).create(*args, **kwargs)
    def get(self, *args, **kwargs):
    data = super(PasswordManager, self).get(*args, **kwargs)
    try:
    data.password = base64.decodestring(data.password)
    except AttributeError:
    pass
    return data
    class GoogleAccount(models.Model):
    user = models.ForeignKey(User, unique=True)
    email = models.CharField(max_length=255)
    password = models.CharField(max_length=255)
    objects = PasswordManager()

    Basically we write a module manager that encodes all passwords in insert queries to base64 and decodes them again on select queries. For completeness sake it's also good to define a filter function where we perform the decoding on the whole set of returned entries. But for this sort of thing that's rarely needed because you're rarely going to be performing third party actions for miriads of users at once.

    This way we achieve perfectly seamless base64 storage of passwords. Nice and easy.

    Enhanced by Zemanta

    Did you enjoy this article?

    Published on July 14th, 2010 in Application programming interface, django, Encryption, OAuth, Password, python, Security, Shareware, Uncategorized,

    Learned something new?
    Read more Software Engineering Lessons from Production

    I write articles with real insight into the career and skills of a modern software engineer. "Raw and honest from the heart!" as one reader described them. Fueled by lessons learned over 20 years of building production code for side-projects, small businesses, and hyper growth startups. Both successful and not.

    Subscribe below 👇

    Software Engineering Lessons from Production

    Join Swizec's Newsletter and get insightful emails 💌 on mindsets, tactics, and technical skills for your career. Real lessons from building production software. No bullshit.

    "Man, love your simple writing! Yours is the only newsletter I open and only blog that I give a fuck to read & scroll till the end. And wow always take away lessons with me. Inspiring! And very relatable. 👌"

    ~ Ashish Kumar

    Join 15,883+ engineers learning lessons from my "raw and honest from the heart" emails.

    ⭐️⭐️⭐️⭐️✨
    4.5 stars average rating

    Have a burning question that you think I can answer? Hit me up on twitter and I'll do my best.

    Who am I and who do I help? I'm Swizec Teller and I turn coders into engineers with "Raw and honest from the heart!" writing. No bullshit. Real insights into the career and skills of a modern software engineer.

    Want to become a true senior engineer? Take ownership, have autonomy, and be a force multiplier on your team. The Senior Engineer Mindset ebook can help 👉 swizec.com/senior-mindset. These are the shifts in mindset that unlocked my career.

    Curious about Serverless and the modern backend? Check out Serverless Handbook, for frontend engineers 👉 ServerlessHandbook.dev

    Want to Stop copy pasting D3 examples and create data visualizations of your own? Learn how to build scalable dataviz React components your whole team can understand with React for Data Visualization

    Want to get my best emails on JavaScript, React, Serverless, Fullstack Web, or Indie Hacking? Check out swizec.com/collections

    Want to brush up on modern JavaScript syntax? Check out my interactive cheatsheet: es6cheatsheet.com

    Did someone amazing share this letter with you? Wonderful! You can sign up for my weekly letters for software engineers on their path to greatness, here: swizec.com/blog

    Want to brush up on your modern JavaScript syntax? Check out my interactive cheatsheet: es6cheatsheet.com

    By the way, just in case no one has told you it yet today: I love and appreciate you for who you are ❤️

    Created by Swizec with ❤️