How to login decrypted password from database in Python

Question

1.00/5 (1 vote)

See more:

I saved the password in the database in encrypted form and this is done but when I am logging from that password(without encryption) it's not logging but when I use the encrypted password then it's logging but I want to login from decrypted password.

What I have tried:

Python

#here is what i done for saving encrypt password in database.
from cryptography.fernet import Fernet
import tkinter as tk
from tkinter import messagebox
import pyodbc

Password=ttk.Entry(frame,textvariable=string,text="",show='*')

def std_register(path):
    conn = pyodbc.connect('Driver={SQL Server};''Server=SHUMAILA\SHUM;''Database=FYP;''Trusted_Connection=yes;')
    cursor=conn.cursor()

std_password=Password.get()
encrypt_password=std_password.encode()
key = Fernet.generate_key()
f = Fernet(key)
encrypted_password = f.encrypt(encrypt_password)
cursor.execute('insert into student_registeration_record(std_password)values(?)',encrypted_password
messagebox.showinfo('Registered','Successfully registered')
cursor.commit()

signup=tk.Button(root,text="Browse here",command=std_register)
signup.place()

Python

#here is what i done for logging

from cryptography.fernet import Fernet
import tkinter as tk
from tkinter import messagebox
import pyodbc


Password_txt=ttk.Entry(frame,textvariable=string,text="",show='*')

def login(event=None):
    password=Password_txt.get()
    cursor.execute('select std_password from student_registeration_record where std_password)=?',password
if cursor.fetchone() is not None:
    messagebox.showinfo("Message","Successfully login")
else:
    messagebox.showinfo("Message","Invalid username or password")
cursor.close()
conn.close()
signin=tk.Button(root,text="Browse here",command=login)
signin.place()

both methods are done on different files

Posted 21-Sep-19 8:19am

Member 14599863

Updated 21-Sep-19 9:00am

Patrice T

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2019-09-21T09:00:00

Solution 1

Don't encrypt passwords - it's very insecure, about on a par with storing it in plain text.
This explains why and how to store them: Password Storage: How to do it.[^] - the code is in C#, but it's pretty obvious.

Posted 21-Sep-19 9:00am

OriginalGriff

Comments

Visweswaran N 21-Sep-19 22:06pm

Hash it with SHA512 and hash it again with bcrypt with random salt. So that it is hard for brute-forcing and makes the rainbow table useless.

OriginalGriff 22-Sep-19 2:24am

You don't need to - just hash it with the salt. No need for further encryption, that's the whole idea ... and you don't use a random salt because you need to be able to do exactly the same thing again in order to check the user input against the db when he tries to log in with it. Random salts would make the resulting hash different from the stored value...
Mostly, you use the userID (not the username) as the salt to prevent the same password appearing as the same hash value

And how the heck do you expect any form of encryption to prevent brute forcing? That's the process of trying every possible input until you get a match, and is prevented by limiting attempts within a set time period...