Possibility to change password encryption

[dinoshauer]

Hello!

I've made the horrible mistake of not setting SECURITY_PASSWORD_HASH to something other than plain text and was hoping there was a way to either change all the password to a hashed format on the fly?

It would be pretty cool in the future if there was a method for this kind of stuff :)

[mattupstate]

You should not have to do anything beyond changing the setting. The next time the user successfully logs in, their password will be updated to the new hash type. This is done in the verify_and_update_password function.

[KasperJacobsen]

It is not working though, I've tried changing app.config['SECURITY_PASSWORD_HASH'] from 'plaintext' to 'pbkdf2_sha512' with a salt, but when I try to log in I get the Invalid password message.

[KangOl]

The problem is that flask-security does not store encrypted passwords into the database.
It store then encrypted HMAC of the password... unless you choose to not encrypt the password.
In this case, you're stuck in plaintext mode. Or you force all your users to reset their password.

pull-request coming in the next minutes.

[robin-wittler]

Tested flask-security today and i was a little bit confused when i take a look at the database and saw a passwords not encrypted. After applying your patch everything works as suggested. Thank you! ;)

[mattupstate]

It all depends on how you add users to your database. If you have set SECURITY_REGISTERABLE = True, and are only adding users via the built-in registration form, then you'll be fine. If you're adding users by any other means you must encrypt the password using flask_security.utils.encrypt_password before saving the user record in your database.

[KangOl]

The problem is if you change your SECURITY_PASSWORD_HASH config from plaintext to anything else, existing users cannot log in.

[robin-wittler]

On 11/17/2013 08:59 PM, Matt Wright wrote:

It all depends on how you add users to your database. If you have set
|SECURITY_REGISTERABLE = True|, and are only adding users via the
built-in registration form, then you'll be fine. If you're adding users
by any other means you must encrypt the password using
|flask_security.utils.encrypt_password| before saving the user record in
your database.

Yes - looks like i stumbled over this behavior. I've just followed the
tutorial and created a user with the @app.before_first_request and
thought that the "user_datastore.create_user" call would do everything
which is necessary to have a secure (and encrypted) password in the
database.

Later i looked at the code and saw that this call will do only things
with Roles. Then i used encrypt_password in the
"user_datastore.create_user" call and the password was stored encrypted
in the database.

From my point of view this behavior is unexpected. I think the
datastore.create_user call (or better the self._prepare_create_user_args
call) should also do the encryption stuff.

At least (IMHO) you should think about pointing out this behavior
clearly in your tutorial - or extend self._prepare_create_user_args to
do encryption.

Anyway - thank you for flask-security and keep up your good work. ;)

—
Reply to this email directly or view it on GitHub
#143 (comment).

[dinoshauer]

@KangOl the patch is working on 1.7.0
Thank you very much

[mattupstate]

@KangOl revisiting this, are you still concerned? Or have you moved on?

[bdemirtas]

Hi Guys, i was wondering if there a way to use SHA1 encryption. I know its now good but one of my client existant user password is based on sha1 and i am redeveloping the application but they want full compatibility.

Thanks

[mattupstate]

FWIW, I've fixed and tested this in the pytest branch

[mattupstate]

@bdemirtas SHA1 is not supported, sorry.

[citizen-stig]

@mattupstate that's really sad. Django has a PasswordHasher class, that can be overwritten by the developer, so it brings more flexibility.
Why didn't you want to allow that?

[citizen-stig]

Also pbkdf2_sha1 is a default in werkzeug(https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/security.py#L204), so a lot project, that has been built not from scratch, can meet this problem

[adityagupta679]

#143 (comment)

robin-wittler commented on Nov 18, 2013
On 11/17/2013 08:59 PM, Matt Wright wrote:

It all depends on how you add users to your database. If you have set
|SECURITY_REGISTERABLE = True|, and are only adding users via the
built-in registration form, then you'll be fine. If you're adding users
by any other means you must encrypt the password using
|flask_security.utils.encrypt_password| before saving the user record in
your database.
Yes - looks like i stumbled over this behavior. I've just followed the
tutorial and created a user with the @app.before_first_request and
thought that the "user_datastore.create_user" call would do everything
which is necessary to have a secure (and encrypted) password in the
database.

Later i looked at the code and saw that this call will do only things
with Roles. Then i used encrypt_password in the
"user_datastore.create_user" call and the password was stored encrypted
in the database.

From my point of view this behavior is unexpected. I think the
datastore.create_user call (or better the self._prepare_create_user_args
call) should also do the encryption stuff.

At least (IMHO) you should think about pointing out this behavior
clearly in your tutorial - or extend self._prepare_create_user_args to
do encryption.

Anyway - thank you for flask-security and keep up your good work. ;)

@mattupstate I am wondering why encryption is not built in with create_user.

[adityagupta679]

Explanation in #136 satisfies my curiosity. Though it would be nice to include this fact in the documentation. @mattupstate