Skip to content

egoosken/2021-bordeaux-git

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 

Repository files navigation

Create a simple authentication system

an alternative to the hopelessly boring hello world examples for an introduction to git

Start creating a script called auth.py

Expected usage:

  • run the script
  • the script asks for username and password
  • if the user is known and password is correct ➔ print "Successfully authenticated!"
  • if the user is known and password is wrong ➔ print "Wrong password!"
  • if the user is not known ➔ ask to add the user to the password database
  • if a user has been added ➔ store the updated database to disk

Basic API:

  • a function get_credentials that asks for username and password
  • a function authenticate that checks if user is in the password database and that the password is correct
  • a function add_user to add a new user with its password to the database
  • a function read_pwdb to read the password database from disk
  • a function write_pwdb to write the password database to disk

Suggestions:

  • the database can be a simple dictionary {username: password}
  • the database can be serialized to disk with json
  • to experiment you can store the database on a temporary directory
  • remember to write the database to disk every time you add a new user

Later, think about the following problems:

  • we are leaking valid usernames ➔ return a generic error if username does not exist or password is wrong
  • password hashing ➔ do not store passwords in clear text (database could be stolen, admins are nosy). Solution: Do not store passwords at all but only their hashes (database could be stolen)
  • password salting ➔ different users with same passwords should not have same hash ⟶ cracking one does not crack all: mitigates dictionary attacks, see below

Addition to the basic API:

  • a function pwhash that given a password and a salt returns a hash
  • a function get_salt that returns a unique salt

Try to crack it! (Advanced)

Notes

To make it for real:

  • insecure temporary file (symlink race attack) ⟶ tempfile and its context managers
  • better way of generating passwords or random tokens: the secrets module
  • cracking a password database is a form of art, see for example the John the Ripper password cracker, or Hashcat or Brutus

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%