Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Possibility to change password encryption
See original GitHub issueHello!
I’ve made the horrible mistake of not setting SECURITY_PASSWORD_HASH to something other than plain text and was hoping there was a way to either change all the password to a hashed format on the fly?
It would be pretty cool in the future if there was a method for this kind of stuff 😃
Issue Analytics
- State:
- Created 10 years ago
- Comments:16 (7 by maintainers)
Top Results From Across the Web
How is it possible for user's password to be changed after ...
We need a user pin/password to encrypt the master key. Thus the user pin/password is needed to later retrieve the master key for...
Read more >Encryption Password Reset
If you or another user knows the current encryption password, you can change the password by going to Settings > Security > Advanced...
Read more >Changing Password - an overview | ScienceDirect Topics
You can store the password itself in plaintext. You can encrypt the password and store the ciphertext. You can create a one-way hash...
Read more >Password encryption - IBM
The encrypted passwords are tagged with the encrypting algorithm name so that passwords encrypted in different formats can coexist in the directory.
Read more >How Do Password Encryption Methods Work? - Okta
Encryption scrambles your password so it's unreadable and/or unusable by hackers. That simple step protects your password while it's sitting in a server, ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
On 11/17/2013 08:59 PM, Matt Wright wrote:
Yes - looks like i stumbled over this behavior. I’ve just followed the tutorial and created a user with the @app.before_first_request and thought that the “user_datastore.create_user” call would do everything which is necessary to have a secure (and encrypted) password in the database.
Later i looked at the code and saw that this call will do only things with Roles. Then i used encrypt_password in the “user_datastore.create_user” call and the password was stored encrypted in the database.
From my point of view this behavior is unexpected. I think the datastore.create_user call (or better the self._prepare_create_user_args call) should also do the encryption stuff.
At least (IMHO) you should think about pointing out this behavior clearly in your tutorial - or extend self._prepare_create_user_args to do encryption.
Anyway - thank you for flask-security and keep up your good work. 😉
It all depends on how you add users to your database. If you have set
SECURITY_REGISTERABLE = True, and are only adding users via the built-in registration form, then you’ll be fine. If you’re adding users by any other means you must encrypt the password usingflask_security.utils.encrypt_passwordbefore saving the user record in your database.