django.contrib.auth user password decryption
Joshua Partogi
I already take a look at the django.contrib.auth.models but could not
find any methods for decrypting the user password.
Sometimes we need to get the real text password to be sent to user.
What is the best way to do this? Anybody has got an idea?
Thank you very much in advance!
--
If you can't believe in God the chances are your God is too small.
Read my blog: http://joshuajava.wordpress.com/
Follow me on twitter: http://twitter.com/jpartogi
Masklinn
> Dear all,
>
> I already take a look at the django.contrib.auth.models but could not
> find any methods for decrypting the user password.
>
> Sometimes we need to get the real text password to be sent to user.
>
> What is the best way to do this? Anybody has got an idea?
>
> Thank you very much in advance!
Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve
them, and that's exactly the intent (well the intent is not that *you*
cannot retrieve them, it's that nobody else can). If you need to send
users their passwords, you have to generate new (random) passwords and
send them that.
Masklinn
[1] http://en.wikipedia.org/wiki/Salt_(cryptography)
[2] http://en.wikipedia.org/wiki/Cryptographic_hash
[3] you can probably bruteforce them if you have a lot of time and
computing power to waste, and future SHA-1 breakages might help you
further, but that's all.
Joshua Partogi
On Apr 4, 11:49 pm, Masklinn <maskl...@masklinn.net> wrote:
> On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
>
> > Dear all,
>
> > I already take a look at the django.contrib.auth.models but could not
> > find any methods for decrypting the user password.
>
> > Sometimes we need to get the real text password to be sent to user.
>
> > What is the best way to do this? Anybody has got an idea?
>
> > Thank you very much in advance!
>
> Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve
> them, and that's exactly the intent (well the intent is not that *you*
> cannot retrieve them, it's that nobody else can). If you need to send
> users their passwords, you have to generate new (random) passwords and
> send them that.
>
> Masklinn
I'll find another way to send user their password.
Thank you very much.
soniiic
database :)
Adam N
1. Validate the user through some sort of test (secret question or
something).
2. Then send them to a screen where they can reset the password
themselves to whatever they want.
3. Initiate an email to the stored email address notifying of the
password reset (in case an imposter made the change).
It's a little less secure (because of social engineering attacks), but
it's fine for a low security site while still maintaining fundamental
security at the password data level.
Keep in mind the requirement to reset an unknown password really is
for your own good. Two way encryption of passwords is unsafe both
because somebody can get and use them without the owner even knowing
that they've been compromised and because anybody with the decryption
key (often anybody with access to the codebase) can get passwords.
-Adam
Russell Keith-Magee
Don't. Ever. Do. This.
You should _never_ store passwords in cleartext, and you should
_never_ transmit passwords in cleartext. If you think I'm kidding,
read up on what happened to Reddit.
http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database
Yours,
Russ Magee %-)
Mike Ramirez
I think that every web designer should read this,
http://www.owasp.org/index.php/OWASP_AppSec_FAQ
and to address this question specifically:
and the following four questions and answers.
In the end, it also says the same things as Russ does.
Mike
--
Arcserve crashed the server again.
Joshua Partogi
But after thinking about it, I didn't do that.
Thanks guys