Django中如何使用Bcrypt加密密码
How to use Bcrypt to encrypt passwords in Django
我正在尝试使用 Bcrypt 来加密用户在注册时提供的密码,然后使用 Bcrypt 根据存储在数据库中的散列版本来验证用户在登录时提供的密码。
有一些关于如何通过 Django 安装 Bcrypt 的非常好的文档 docs,但它们实际上并没有向您展示如何使用 Bcrypt 来散列密码或使用其他命令。
您需要从某处导入 Brcrypt 吗?如果是这样,它的正确语法是什么?散列密码和比较散列密码与非散列密码的语法是什么?
我在 settings.py 文件中安装了 Bcrypted 库,还通过 pip 安装了 Bcrypt。我还需要做什么才能使用 Bcrypt?
在你的 link:
The password attribute of a User object is a string in this format:
<algorithm>$<iterations>$<salt>$<hash>
Those are the components used
for storing a User’s password, separated by the dollar-sign character
and consist of: the hashing algorithm, the number of algorithm
iterations (work factor), the random salt, and the resulting password
hash. The algorithm is one of a number of one-way hashing or password
storage algorithms Django can use; see below. Iterations describe the
number of times the algorithm is run over the hash. Salt is the random
seed used and the hash is the result of the one-way function.
I installed the Bcrypted library in the settings.py file...
What else do I need to do to use Bcrypt?
我不确定第一句话是什么意思。您需要将以下内容放入 settings.py
:
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
use Bcrypt to validate a password a user provides upon login against
the hashed version stored in the database.
您可以手动执行此操作:
The django.contrib.auth.hashers module provides a set of functions to
create and validate hashed password. You can use them independently
from the User model.
check_password(password, encoded)
If you’d like to manually authenticate a user by comparing a plain-text password to the hashed
password in the database, use the convenience function
check_password(). It takes two arguments: the plain-text password to
check, and the full value of a user’s password field in the database
to check against, and returns True if they match, False otherwise.
https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#module-django.contrib.auth.hashers
或者,您可以使用 authenticate()
:
authenticate(**credentials)
To authenticate a given username and password, use authenticate(). It takes credentials in the form of
keyword arguments, for the default configuration this is username and
password, and it returns a User object if the password is valid for
the given username. If the password is invalid, authenticate() returns
None. Example:
from django.contrib.auth import authenticate
user = authenticate(username='john', password='password to check')
if user is not None:
# the password verified for the user
if user.is_active:
print("User is valid, active and authenticated")
else:
print("The password is valid, but the account has been disabled!")
else:
# the authentication system was unable to verify the username and password
print("The username and password were incorrect.")
https://docs.djangoproject.com/en/1.9/topics/auth/default/#authenticating-users
这里有一些例子:
(django186p34)~/django_projects/dj1$ python manage.py shell
Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher')
这些是默认值:我的 settings.py 中没有 PASSWORD_HASHERS
的条目。
>>> from django.contrib.auth.models import User
>>> my_user = User.objects.create_user('ea87', 'ea@gmail.com', '666monkeysAndDogs777')
>>> my_user.save()
>>> my_user.password
'pbkdf2_sha256000$L7uq6goI1HIl$RYqywMgPywhhku/YqIxWKbpxODBeczfLm5zthHjNSSk='
>>> my_user.username
'ea87'
>>> from django.contrib.auth import authenticate
>>> authenticate(username='ea87', password='666monkeysAndDogs777')
<User: ea87>
>>> print(authenticate(username='ea87', password='wrong password'))
None
>>> from django.contrib.auth.hashers import check_password
>>> check_password('666monkeysAndDogs777', my_user.password)
True
>>> exit()
接下来,我将以下内容添加到 settings.py:
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
(django186p34)~/django_projects/dj1$ python manage.py shell
Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher')
注意元组前面的 bcrypt 哈希。
>>> from django.contrib.auth.models import User
>>> user = User.objects.get(username='ea87')
>>> user
<User: ea87>
>>> user.password
'pbkdf2_sha256000$DS20ZOCWTBFN$AFfzg3iC24Pkj5UtEu3O+J8KOVBQvaLVx43D0Wsr4PY='
>>> user.set_password('666monkeysAndDogs777')
>>> user.password
'bcrypt_sha256$b$QeWvpi7hQ8cPQBF0LzD4C.89R81AV4PxK0kjVXG73fkLoQxYBundW'
可以看到密码已经变成了bcrypt版本
7stud 的简短回答
在 Django 1.9 默认模板项目中使用 create_user
:
User.objects.create_user(username='uname', password='mypass')
而不是 create
,后者不对密码进行哈希处理。
另一个选项是设置密码:
user = User(username='uname')
user.set_password('mypass')
user.save()
最后,您还可以按照以下位置对字符串进行操作:How to quickly encrypt a password string in Django without an User Model?
我正在尝试使用 Bcrypt 来加密用户在注册时提供的密码,然后使用 Bcrypt 根据存储在数据库中的散列版本来验证用户在登录时提供的密码。
有一些关于如何通过 Django 安装 Bcrypt 的非常好的文档 docs,但它们实际上并没有向您展示如何使用 Bcrypt 来散列密码或使用其他命令。
您需要从某处导入 Brcrypt 吗?如果是这样,它的正确语法是什么?散列密码和比较散列密码与非散列密码的语法是什么?
我在 settings.py 文件中安装了 Bcrypted 库,还通过 pip 安装了 Bcrypt。我还需要做什么才能使用 Bcrypt?
在你的 link:
The password attribute of a User object is a string in this format:
<algorithm>$<iterations>$<salt>$<hash>
Those are the components used for storing a User’s password, separated by the dollar-sign character and consist of: the hashing algorithm, the number of algorithm iterations (work factor), the random salt, and the resulting password hash. The algorithm is one of a number of one-way hashing or password storage algorithms Django can use; see below. Iterations describe the number of times the algorithm is run over the hash. Salt is the random seed used and the hash is the result of the one-way function.
I installed the Bcrypted library in the settings.py file... What else do I need to do to use Bcrypt?
我不确定第一句话是什么意思。您需要将以下内容放入 settings.py
:
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
use Bcrypt to validate a password a user provides upon login against the hashed version stored in the database.
您可以手动执行此操作:
The django.contrib.auth.hashers module provides a set of functions to create and validate hashed password. You can use them independently from the User model.
check_password(password, encoded)
If you’d like to manually authenticate a user by comparing a plain-text password to the hashed password in the database, use the convenience function check_password(). It takes two arguments: the plain-text password to check, and the full value of a user’s password field in the database to check against, and returns True if they match, False otherwise.
https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#module-django.contrib.auth.hashers
或者,您可以使用 authenticate()
:
authenticate(**credentials)
To authenticate a given username and password, use authenticate(). It takes credentials in the form of keyword arguments, for the default configuration this is username and password, and it returns a User object if the password is valid for the given username. If the password is invalid, authenticate() returns None. Example:from django.contrib.auth import authenticate user = authenticate(username='john', password='password to check') if user is not None: # the password verified for the user if user.is_active: print("User is valid, active and authenticated") else: print("The password is valid, but the account has been disabled!") else: # the authentication system was unable to verify the username and password print("The username and password were incorrect.")
https://docs.djangoproject.com/en/1.9/topics/auth/default/#authenticating-users
这里有一些例子:
(django186p34)~/django_projects/dj1$ python manage.py shell
Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher')
这些是默认值:我的 settings.py 中没有 PASSWORD_HASHERS
的条目。
>>> from django.contrib.auth.models import User
>>> my_user = User.objects.create_user('ea87', 'ea@gmail.com', '666monkeysAndDogs777')
>>> my_user.save()
>>> my_user.password
'pbkdf2_sha256000$L7uq6goI1HIl$RYqywMgPywhhku/YqIxWKbpxODBeczfLm5zthHjNSSk='
>>> my_user.username
'ea87'
>>> from django.contrib.auth import authenticate
>>> authenticate(username='ea87', password='666monkeysAndDogs777')
<User: ea87>
>>> print(authenticate(username='ea87', password='wrong password'))
None
>>> from django.contrib.auth.hashers import check_password
>>> check_password('666monkeysAndDogs777', my_user.password)
True
>>> exit()
接下来,我将以下内容添加到 settings.py:
PASSWORD_HASHERS = (
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
(django186p34)~/django_projects/dj1$ python manage.py shell
Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django.conf import settings
>>> print(settings.PASSWORD_HASHERS)
('django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher')
注意元组前面的 bcrypt 哈希。
>>> from django.contrib.auth.models import User
>>> user = User.objects.get(username='ea87')
>>> user
<User: ea87>
>>> user.password
'pbkdf2_sha256000$DS20ZOCWTBFN$AFfzg3iC24Pkj5UtEu3O+J8KOVBQvaLVx43D0Wsr4PY='
>>> user.set_password('666monkeysAndDogs777')
>>> user.password
'bcrypt_sha256$b$QeWvpi7hQ8cPQBF0LzD4C.89R81AV4PxK0kjVXG73fkLoQxYBundW'
可以看到密码已经变成了bcrypt版本
7stud 的简短回答
在 Django 1.9 默认模板项目中使用 create_user
:
User.objects.create_user(username='uname', password='mypass')
而不是 create
,后者不对密码进行哈希处理。
另一个选项是设置密码:
user = User(username='uname')
user.set_password('mypass')
user.save()
最后,您还可以按照以下位置对字符串进行操作:How to quickly encrypt a password string in Django without an User Model?