views:

131

answers:

3

ex:

username:zjm1126 password:11

i stored the password to the datastore on gae,

when i see the data view at /_ah/admin, i can see the password all people's password who register,

i think it is not safe , yes ?

is password stroed like this ?

how to stored password,

thanks

alt text

and the check_password method is :

user=MyUser.get_by_key_name(self.request.get('username'))
if user.password == self.request.get('password'):
    session['user.key']=str(user.key())
else:
    raise Exception('error 404')
+5  A: 

You should never store a password in plain text.

Use a ir-reversable data hashing algorithm, like sha or md5

Here is how you can create a hash in python:

from hashlib import sha256
from random import random
random_key = random()
sha256('%s%s%s'%('YOUR SECRET KEY',random_key,password))

You should also store the random key and hash the user supplied password similarly.

Lakshman Prasad
md5 should not be recommended.
systempuntoout
md5 is okay for small databases, I doubt you will have enough users to clash
DanDan
A: 

There are numerous posts on stackoverflow about how to use various algorithms to product the integrity of passwords. Algorithms you should look into are SHA-256/SHA-512 in conjunction with a long randomly generated salt (which would also be stored in the database) or bcrypt. I won't go into the discussion of why one is better than the other here because that discussion is already taking place in other questions.

Taylor Leese
+3  A: 

There is nothing app-engine specific or new about this question that hasn't been answered 10 times before on SO. Search Stack Overflow for store password and read the first 5 questions. That should give you a good foundation in the subject.

Peter Recore