在Djang中如何使用Bcrypt加密密码

2024-04-29 08:27:00 发布

您现在位置:Python中文网/ 问答频道 /正文
607 3

我试图使用Bcrypt来加密用户注册时提供的密码,然后使用Bcrypt根据存储在数据库中的哈希版本验证用户登录时提供的密码。

关于如何通过Django docs在上安装Bcrypt,有一些相当好的文档,但它们实际上并没有向您展示如何使用Bcrypt散列密码或使用其他命令。

你需要从某处导入Brcrypt吗?如果是,正确的语法是什么?散列密码和比较散列密码与非散列密码的语法是什么?

我在settings.py文件中安装了Bcrypted库,还通过pip安装了Bcrypt。使用Bcrypt还需要做什么?


Tags: 文件django用户文档py命令版本数据库
2条回答
网友
1楼 · 编辑于 2024-04-29 08:27:00

7stud答案的简短版本

在Django 1.9默认模板项目中,使用create_user

User.objects.create_user(username='uname', password='mypass')

而不是不散列密码的create

另一个选项是设置密码:

user = User(username='uname')
user.set_password('mypass')
user.save()

最后,您还可以对在:How to quickly encrypt a password string in Django without an User Model?中提到的字符串进行操作

网友
2楼 · 编辑于 2024-04-29 08:27:00

在您的链接:

The password attribute of a User object is a string in this format:

<algorithm>$<iterations>$<salt>$<hash>Those are the components used for storing a User’s password, separated by the dollar-sign character and consist of: the hashing algorithm, the number of algorithm iterations (work factor), the random salt, and the resulting password hash. The algorithm is one of a number of one-way hashing or password storage algorithms Django can use; see below. Iterations describe the number of times the algorithm is run over the hash. Salt is the random seed used and the hash is the result of the one-way function.

I installed the Bcrypted library in the settings.py file... What else do I need to do to use Bcrypt?

我不知道第一句话是什么意思。您需要在settings.py中放入以下内容:

PASSWORD_HASHERS = (
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.CryptPasswordHasher',
)

use Bcrypt to validate a password a user provides upon login against the hashed version stored in the database.

您可以手动执行此操作:

The django.contrib.auth.hashers module provides a set of functions to create and validate hashed password. You can use them independently from the User model.

check_password(password, encoded)
If you’d like to manually authenticate a user by comparing a plain-text password to the hashed password in the database, use the convenience function check_password(). It takes two arguments: the plain-text password to check, and the full value of a user’s password field in the database to check against, and returns True if they match, False otherwise.

https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#module-django.contrib.auth.hashers

或者,您可以使用authenticate()

authenticate(**credentials)
To authenticate a given username and password, use authenticate(). It takes credentials in the form of keyword arguments, for the default configuration this is username and password, and it returns a User object if the password is valid for the given username. If the password is invalid, authenticate() returns None. Example:

from django.contrib.auth import authenticate

user = authenticate(username='john', password='password to check')

if user is not None:
    # the password verified for the user
    if user.is_active:
        print("User is valid, active and authenticated")
    else:
        print("The password is valid, but the account has been disabled!")
else:
    # the authentication system was unable to verify the username and password
    print("The username and password were incorrect.")

https://docs.djangoproject.com/en/1.9/topics/auth/default/#authenticating-users

下面是一些例子:

(django186p34)~/django_projects/dj1$ python manage.py shell

Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03) 
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)

>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)

('django.contrib.auth.hashers.PBKDF2PasswordHasher',
 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
 'django.contrib.auth.hashers.BCryptPasswordHasher',
 'django.contrib.auth.hashers.SHA1PasswordHasher',
 'django.contrib.auth.hashers.MD5PasswordHasher',
 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', 
 'django.contrib.auth.hashers.CryptPasswordHasher')

这些是默认值:my settings.py中没有用于PASSWORD_HASHERS的条目。

>>> from django.contrib.auth.models import User

>>> my_user = User.objects.create_user('ea87', 'ea@gmail.com', '666monkeysAndDogs777')

>>> my_user.save()
>>> my_user.password
'pbkdf2_sha256$20000$L7uq6goI1HIl$RYqywMgPywhhku/YqIxWKbpxODBeczfLm5zthHjNSSk='
>>> my_user.username
'ea87'

>>> from django.contrib.auth import authenticate

>>> authenticate(username='ea87', password='666monkeysAndDogs777')
<User: ea87>

>>> print(authenticate(username='ea87', password='wrong password'))
None

>>> from django.contrib.auth.hashers import check_password

>>> check_password('666monkeysAndDogs777', my_user.password)
True

>>> exit()

接下来,我将以下内容添加到settings.py:

PASSWORD_HASHERS = (
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.CryptPasswordHasher',
)

(django186p34)~/django_projects/dj1$ python manage.py shell

Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03) 
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)

>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
 'django.contrib.auth.hashers.BCryptPasswordHasher',
 'django.contrib.auth.hashers.PBKDF2PasswordHasher',
 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
 'django.contrib.auth.hashers.SHA1PasswordHasher',
 'django.contrib.auth.hashers.MD5PasswordHasher', 
 'django.contrib.auth.hashers.CryptPasswordHasher')

注意元组前面的bcrypt散列。

>>> from django.contrib.auth.models import User

>>> user = User.objects.get(username='ea87')
>>> user
<User: ea87>

>>> user.password
'pbkdf2_sha256$20000$DS20ZOCWTBFN$AFfzg3iC24Pkj5UtEu3O+J8KOVBQvaLVx43D0Wsr4PY='

>>> user.set_password('666monkeysAndDogs777')
>>> user.password
'bcrypt_sha256$$2b$12$QeWvpi7hQ8cPQBF0LzD4C.89R81AV4PxK0kjVXG73fkLoQxYBundW'

您可以看到密码已更改为bcrypt版本。

相关问题 更多 >

    编程相关推荐