Re: django.contrib.auth user password decryption
I was about to do that. :-D But after thinking about it, I didn't do that. Thanks guys On Apr 5, 6:51 pm, soniiic wrote: > I hope that doesn't mean storing the real password in a table in the > database :) > > On Apr 4, 11:12 pm, Joshua Partogi wrote: > > > On Apr 4, 11:49 pm, Masklinn wrote: > > > > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > > > > > Dear all, > > > > > I already take a look at the django.contrib.auth.models but could not > > > > find any methods for decrypting the user password. > > > > > Sometimes we need to get the real text password to be sent to user. > > > > > What is the best way to do this? Anybody has got an idea? > > > > > Thank you very much in advance! > > > > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve > > > them, and that's exactly the intent (well the intent is not that *you* > > > cannot retrieve them, it's that nobody else can). If you need to send > > > users their passwords, you have to generate new (random) passwords and > > > send them that. > > > > Masklinn > > > Thanks for the explanation Masklinn. :-) > > > I'll find another way to send user their password. > > > Thank you very much. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: django.contrib.auth user password decryption
On Sunday 05 April 2009 05:39:37 pm Russell Keith-Magee wrote: > On Sun, Apr 5, 2009 at 6:12 AM, Joshua Partogi wrote: > > On Apr 4, 11:49 pm, Masklinn wrote: > >> On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > >> > Dear all, > >> > > >> > I already take a look at the django.contrib.auth.models but could not > >> > find any methods for decrypting the user password. > >> > > >> > Sometimes we need to get the real text password to be sent to user. > >> > > >> > What is the best way to do this? Anybody has got an idea? > >> > > >> > Thank you very much in advance! > >> > >> Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve > >> them, and that's exactly the intent (well the intent is not that *you* > >> cannot retrieve them, it's that nobody else can). If you need to send > >> users their passwords, you have to generate new (random) passwords and > >> send them that. > >> > >> Masklinn > > > > Thanks for the explanation Masklinn. :-) > > > > I'll find another way to send user their password. > > Don't. Ever. Do. This. > > You should _never_ store passwords in cleartext, and you should > _never_ transmit passwords in cleartext. If you think I'm kidding, > read up on what happened to Reddit. > > http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-data >base > > Yours, > Russ Magee %-) > I think that every web designer should read this, http://www.owasp.org/index.php/OWASP_AppSec_FAQ and to address this question specifically: http://www.owasp.org/index.php/OWASP_AppSec_FAQ#How_can_my_.22Forgot_Password.22_feature_be_exploited.3F and the following four questions and answers. In the end, it also says the same things as Russ does. Mike -- Arcserve crashed the server again. signature.asc Description: This is a digitally signed message part.
Re: django.contrib.auth user password decryption
On Sun, Apr 5, 2009 at 6:12 AM, Joshua Partogi wrote: > > > > On Apr 4, 11:49 pm, Masklinn wrote: >> On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: >> >> > Dear all, >> >> > I already take a look at the django.contrib.auth.models but could not >> > find any methods for decrypting the user password. >> >> > Sometimes we need to get the real text password to be sent to user. >> >> > What is the best way to do this? Anybody has got an idea? >> >> > Thank you very much in advance! >> >> Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve >> them, and that's exactly the intent (well the intent is not that *you* >> cannot retrieve them, it's that nobody else can). If you need to send >> users their passwords, you have to generate new (random) passwords and >> send them that. >> >> Masklinn > > Thanks for the explanation Masklinn. :-) > > I'll find another way to send user their password. Don't. Ever. Do. This. You should _never_ store passwords in cleartext, and you should _never_ transmit passwords in cleartext. If you think I'm kidding, read up on what happened to Reddit. http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database Yours, Russ Magee %-) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: django.contrib.auth user password decryption
A good solution is to reset the password through the screen. 1. Validate the user through some sort of test (secret question or something). 2. Then send them to a screen where they can reset the password themselves to whatever they want. 3. Initiate an email to the stored email address notifying of the password reset (in case an imposter made the change). It's a little less secure (because of social engineering attacks), but it's fine for a low security site while still maintaining fundamental security at the password data level. Keep in mind the requirement to reset an unknown password really is for your own good. Two way encryption of passwords is unsafe both because somebody can get and use them without the owner even knowing that they've been compromised and because anybody with the decryption key (often anybody with access to the codebase) can get passwords. -Adam On Apr 5, 4:51 am, soniiic wrote: > I hope that doesn't mean storing the real password in a table in the > database :) > > On Apr 4, 11:12 pm, Joshua Partogi wrote: > > > > > On Apr 4, 11:49 pm, Masklinn wrote: > > > > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > > > > > Dear all, > > > > > I already take a look at the django.contrib.auth.models but could not > > > > find any methods for decrypting the user password. > > > > > Sometimes we need to get the real text password to be sent to user. > > > > > What is the best way to do this? Anybody has got an idea? > > > > > Thank you very much in advance! > > > > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve > > > them, and that's exactly the intent (well the intent is not that *you* > > > cannot retrieve them, it's that nobody else can). If you need to send > > > users their passwords, you have to generate new (random) passwords and > > > send them that. > > > > Masklinn > > > Thanks for the explanation Masklinn. :-) > > > I'll find another way to send user their password. > > > Thank you very much. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: django.contrib.auth user password decryption
I hope that doesn't mean storing the real password in a table in the database :) On Apr 4, 11:12 pm, Joshua Partogi wrote: > On Apr 4, 11:49 pm, Masklinn wrote: > > > > > > > > > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > > > > Dear all, > > > > I already take a look at the django.contrib.auth.models but could not > > > find any methods for decrypting the user password. > > > > Sometimes we need to get the real text password to be sent to user. > > > > What is the best way to do this? Anybody has got an idea? > > > > Thank you very much in advance! > > > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve > > them, and that's exactly the intent (well the intent is not that *you* > > cannot retrieve them, it's that nobody else can). If you need to send > > users their passwords, you have to generate new (random) passwords and > > send them that. > > > Masklinn > > Thanks for the explanation Masklinn. :-) > > I'll find another way to send user their password. > > Thank you very much. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: django.contrib.auth user password decryption
On Apr 4, 11:49 pm, Masklinn wrote: > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > > > Dear all, > > > I already take a look at the django.contrib.auth.models but could not > > find any methods for decrypting the user password. > > > Sometimes we need to get the real text password to be sent to user. > > > What is the best way to do this? Anybody has got an idea? > > > Thank you very much in advance! > > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve > them, and that's exactly the intent (well the intent is not that *you* > cannot retrieve them, it's that nobody else can). If you need to send > users their passwords, you have to generate new (random) passwords and > send them that. > > Masklinn Thanks for the explanation Masklinn. :-) I'll find another way to send user their password. Thank you very much. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: django.contrib.auth user password decryption
On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > Dear all, > > I already take a look at the django.contrib.auth.models but could not > find any methods for decrypting the user password. > > Sometimes we need to get the real text password to be sent to user. > > What is the best way to do this? Anybody has got an idea? > > Thank you very much in advance! Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve them, and that's exactly the intent (well the intent is not that *you* cannot retrieve them, it's that nobody else can). If you need to send users their passwords, you have to generate new (random) passwords and send them that. Masklinn [1] http://en.wikipedia.org/wiki/Salt_(cryptography) [2] http://en.wikipedia.org/wiki/Cryptographic_hash [3] you can probably bruteforce them if you have a lot of time and computing power to waste, and future SHA-1 breakages might help you further, but that's all. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
django.contrib.auth user password decryption
Dear all, I already take a look at the django.contrib.auth.models but could not find any methods for decrypting the user password. Sometimes we need to get the real text password to be sent to user. What is the best way to do this? Anybody has got an idea? Thank you very much in advance! -- If you can't believe in God the chances are your God is too small. Read my blog: http://joshuajava.wordpress.com/ Follow me on twitter: http://twitter.com/jpartogi --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---