You should be using something like bcrypt (or anything beyond a simple sha256 hash) for passwords. Sha is a general purpose hash, not the best for password hashing.
You should build the hash from password AND username (for example username + password), not only password so the hashes would be different for 2 users having the same password.
Or instead of building the salt from username and password, maybe just generate a random salt and store the hashed salted password in the DB along with the salt. Perhaps use bcrypt so as to generate the salt and save the salt in the same field as the password
@@MnMEminem nope. I am indeed talking about hashing and not encrypting. But with my strategy, even if two users share the same password, their hashes would still be different since we added salt to the password.
How to encrypt the database itself? Like setting a password to username.db so that no one read it even if they somehow got to download the file(database) itself?
Hash the password, so that when the user enters the password you apply the hash function, check if that’s in the database, if it is for that user, let them in, if it’s wrong well you know. And this way since a hash function is only one way, they’ll know which username has which hash password but they can never figure out the password as it is hashed. Don’t store the password in the database, only person who’ll know password is person who enters it
The trouble with hashed passwords is that the authentication can only be one-way. If you are operating over an untrusted connection (e.g. the Internet), then you need authentication to be two-way: not only must the server be sure the client/user is genuine, but the client/user must also be sure the server is genuine.
I wouldn't use SHA256 or BLAKE3 for password encryption. The reason why we like to use those is that it's computationally inexpensive to check. This means that if your database gets compromised it won't take too long to break short unsalted SHA256 hashes. Still this is good for generating Cookies and Bearer Tokens because they are easy to verify on every request. bcrypt or argon2 is much better for generating passwords.
@@__Brandon__ I agree with the TLS part which is standard, but not the client password hashing. It's perfectly fine sending a plaintext password over TLS v1.2 and up. If you are storing the argon2id password (which includes the salt) then the client would need to know what the argon2id scheme is before hand. You can actually cause a bigger issue since the client would know the pw + salt + hash which would all be captured with a bad clientside javascript library giving inside details into the server.
@@__Brandon__ I'm essentially relying on TLS to be secure through AES-256 (ChaCha20) after the RSA handshake to receive the password then have the server store it with argon then decipher it with argon. If you can't trust TLS to be secure then any PII data sent is insecure. Your method makes it impossible to enforce any password complexity requirements at the API layer and you can't rely on the client to be honest.
@@__Brandon__ I see what you're saying. Chances aren't that your DB gets compromised so much as your DNS or and ISPs BGP router gets changed to trick users in which case the attacker is still going to get the passwords anyway since their app won't hash anything. Still if the hacker get into the server they will still be able to see all JSON objects that pass through the server so what's the point of encrypting the password if they get your SSN, DOB, F/L, and all that good stuff anyway. All they have to do is send the has password anyway? It's kind of hard to shield users from leaking passwords if their computer is compromised also or click a bad link. I don't think the extra hash really helps to be honest. Maybe here is to hoping that passwordless implementations will be better?
@@__Brandon__ You just now said that it's hard to forge a cert (MITM) yet you are trying to protect against it...? EDIT: You're standardizing your PW length and characters so it's still vulnerable to dictionary attacks and it really doesn't matter since the hash just becomes the password. Very little value add; just make your passwords passphrases with a 16 character minimum. Also don't quote standards to me if you don't tell me the standard like HIPAA FERPA COPPA. What industry standard are you referring to, CISPA?
@@__Brandon__ I'm sorry I'm going to forward this to my Frontend SA. She is going to get a kick out of this in that she's trying to avoid the Discover hack. Take it easy my dude. We are arguing over the smallest thing.
I can't get the username and password prompts to pop up in the terminal :/ I'm running the server first then the client and the server runs but client does nothing. Any idea what the issue could be?
If you got any errors like no connection could be made,Change your port number as it could be used by another service. Change 9999 to something like 3000 or anything.
i'm learning python but instead of watching 6 hours of "print types" watching this. i don't really understand the whole thing but i wanna create something. am i doing good or should i go for beginners guide?
hi he could have made a second video for that but its very simple thing just replace the username name 1 and password 1 from your sample.py by an input and make it a function with def ...(): and implement it like the login systeme or if you dont want a input in commmand line like me you can use PyQt5 to make an app and replace the input() by self.NAME OF TEXT BOX.text()
hello...your tutorials are extraordinary. can you please create a tutorial on python built-in functions(all built in functions there are 71). i hope you will work on it. thank you.
I get as far as 5:10 but when I run it I get this error message ' sqlite3.OperationalError: table userdata has no column named password ' Does anyone have any solutions?
how did you get that thing to show up for the database? ive never really used sql before and its saying that the file is not displayed in the editor because its either binary or an unsupported text encoding
Go to extensions, write SQlite, Install the extension, right click on the data base and click open database, An SQlite explorer button will appear on the bottom left, click it and it should show the database, click the name of the database it will show you the tables. If you want to do a query, right click it an select new query
Hello i did everything like in the video but in the end i have message ConnectionRefusedError: [WinError 10061] No connection could be made because the target machine actively refused it. I tried to find in on the internet but i couldn't :( maybe someone know how to fix it?
Nothing of this is actually working, thats sad and even that you dont tell what kind of extras we need to this is just..... i was joyfull coding and when i tried to run always problems appear and i did it same was as you ...
Interesting. Comments critical of the security of the techniques posted to this video seem to disappear. Methinks the author is deleting said critical commentary.
@@arielspalter7425 It doesn't need to be. The point of networking is having 2 devices talk to each other. He is doing this, but the 2 computers are the same computer but different applications on the computer. And also, why would server.py need to import client.py? All the applications need to do is connect.
Client didn’t work. Just says _AttributeError: module ‘socket’ has no attribute ‘connect’_ Does it have something to do with the server number? I hate this computer ish for this very reason but I want to learn it so I’m not at such a disadvantage moving. I know once it clicks I’ll be golden.
I forgot to tell you that I started to love python more because of you thank you and keep going I love your projects
You should be using something like bcrypt (or anything beyond a simple sha256 hash) for passwords. Sha is a general purpose hash, not the best for password hashing.
That’s right 👍
Or doing it properly and using something like Passlib to manage the hashing... This is just negligent programming calling this car-crash "secure"
@@pobkuk nerd
This is just an example video though, if you're going to use this tutorial in any professional environment, you shouldn't be in your position...
This channel deserves more subscribers!
your presentation of the code is amazing, learning a lot from your channel. Thanks.
i love all these under 20 minutes projects. Lets you gets hands on quick
thanks for the video! I love all your content and you make python very fun to learn.
Enjoying the python content.. keep up the great work.
Hi I've been following you for a long time and I like all your videos
I want to generate invoice with UBL 2.1 using python but there is nothing about it in python, can you help me with this please
There is not much information about xml files, please help this follower
Nice vid! How did you make your pycharm format the SQL?
Always quality content
You should build the hash from password AND username (for example username + password), not only password so the hashes would be different for 2 users having the same password.
Or instead of building the salt from username and password, maybe just generate a random salt and store the hashed salted password in the DB along with the salt. Perhaps use bcrypt so as to generate the salt and save the salt in the same field as the password
@@dslnoob7140 you are mistaking hashing with encrypting, hashing is more secure for passwords
@@MnMEminem nope. I am indeed talking about hashing and not encrypting. But with my strategy, even if two users share the same password, their hashes would still be different since we added salt to the password.
What do you think of password salt?
you are awesome ❤️
Thanks for always teaching us useful stuff
Please make a video about sys and subsystem modules
Great video, cheers.
Did you uploaded these project files to your github?
can we use sqlite 3 and hash libraries for our minor
academic project?
I love your videos.
how u implement the command in userdata.db at 5:09
How to encrypt the database itself?
Like setting a password to username.db so that no one read it even if they somehow got to download the file(database) itself?
Hash the password, so that when the user enters the password you apply the hash function, check if that’s in the database, if it is for that user, let them in, if it’s wrong well you know. And this way since a hash function is only one way, they’ll know which username has which hash password but they can never figure out the password as it is hashed. Don’t store the password in the database, only person who’ll know password is person who enters it
The trouble with hashed passwords is that the authentication can only be one-way. If you are operating over an untrusted connection (e.g. the Internet), then you need authentication to be two-way: not only must the server be sure the client/user is genuine, but the client/user must also be sure the server is genuine.
@@photoballa Thanks for the reply, but what i meant to ask was how do i set authentication for the sqlite3 database itself, like in mysql.
Nice one bro
I wouldn't use SHA256 or BLAKE3 for password encryption. The reason why we like to use those is that it's computationally inexpensive to check. This means that if your database gets compromised it won't take too long to break short unsalted SHA256 hashes. Still this is good for generating Cookies and Bearer Tokens because they are easy to verify on every request. bcrypt or argon2 is much better for generating passwords.
@@__Brandon__ I agree with the TLS part which is standard, but not the client password hashing. It's perfectly fine sending a plaintext password over TLS v1.2 and up. If you are storing the argon2id password (which includes the salt) then the client would need to know what the argon2id scheme is before hand. You can actually cause a bigger issue since the client would know the pw + salt + hash which would all be captured with a bad clientside javascript library giving inside details into the server.
@@__Brandon__ I'm essentially relying on TLS to be secure through AES-256 (ChaCha20) after the RSA handshake to receive the password then have the server store it with argon then decipher it with argon. If you can't trust TLS to be secure then any PII data sent is insecure. Your method makes it impossible to enforce any password complexity requirements at the API layer and you can't rely on the client to be honest.
@@__Brandon__ I see what you're saying. Chances aren't that your DB gets compromised so much as your DNS or and ISPs BGP router gets changed to trick users in which case the attacker is still going to get the passwords anyway since their app won't hash anything. Still if the hacker get into the server they will still be able to see all JSON objects that pass through the server so what's the point of encrypting the password if they get your SSN, DOB, F/L, and all that good stuff anyway. All they have to do is send the has password anyway? It's kind of hard to shield users from leaking passwords if their computer is compromised also or click a bad link. I don't think the extra hash really helps to be honest. Maybe here is to hoping that passwordless implementations will be better?
@@__Brandon__ You just now said that it's hard to forge a cert (MITM) yet you are trying to protect against it...?
EDIT: You're standardizing your PW length and characters so it's still vulnerable to dictionary attacks and it really doesn't matter since the hash just becomes the password. Very little value add; just make your passwords passphrases with a 16 character minimum. Also don't quote standards to me if you don't tell me the standard like HIPAA FERPA COPPA. What industry standard are you referring to, CISPA?
@@__Brandon__ I'm sorry I'm going to forward this to my Frontend SA. She is going to get a kick out of this in that she's trying to avoid the Discover hack. Take it easy my dude. We are arguing over the smallest thing.
I can't get the username and password prompts to pop up in the terminal :/ I'm running the server first then the client and the server runs but client does nothing. Any idea what the issue could be?
If you got any errors like no connection could be made,Change your port number as it could be used by another service. Change 9999 to something like 3000 or anything.
i'm learning python but instead of watching 6 hours of "print types" watching this. i don't really understand the whole thing but i wanna create something. am i doing good or should i go for beginners guide?
Can you make a #2 video that adds the function to create new accounts
hi he could have made a second video for that but its very simple thing just replace the username name 1 and password 1 from your sample.py by an input and make it a function with def ...(): and implement it like the login systeme or if you dont want a input in commmand line like me you can use PyQt5 to make an app and replace the input() by self.NAME OF TEXT BOX.text()
Could you add expiration system so after a specific amount of time the key becomes invalid?
how do you see all those functions etc even in strings??
what is the theme you have your pycharm set up with here
[WinError 10048] Only one usage of each socket address (protocol/network address/port) is normally permitted
I would suggest a unique salt added to the passwords
I want to generate invoice with UBL 2.1 using python but there is nothing about it in python, can you help me with this please
hello...your tutorials are extraordinary. can you please create a tutorial on python built-in functions(all built in functions there are 71). i hope you will work on it. thank you.
I get as far as 5:10 but when I run it I get this error message ' sqlite3.OperationalError: table userdata has no column named password ' Does anyone have any solutions?
please i am having this error: cur.execute("""
AttributeError: 'builtin_function_or_method' object has no attribute 'execute'
but how to keep session, user logged in and transfer data? big data?
thank you
how did you get that thing to show up for the database? ive never really used sql before and its saying that the file is not displayed in the editor because its either binary or an unsupported text encoding
Go to extensions, write SQlite, Install the extension, right click on the data base and click open database, An SQlite explorer button will appear on the bottom left, click it and it should show the database, click the name of the database it will show you the tables.
If you want to do a query, right click it an select new query
You should have an entire book on login systems and databases. I'd buy it. EDIT: Already purchased some of your books.
[vscode-sqlite][ERROR] Failed to open database 'c:\...\...': file is not a database
i dont know where to put my files so it finds the db
pythone is so simple in context
"Secure"
SQL Injection laughing at the corner:
that isnt how that works
intro song name?
even i type correct password and username login failed is shown
Hello i did everything like in the video but in the end i have message ConnectionRefusedError: [WinError 10061] No connection could be made because the target machine actively refused it. I tried to find in on the internet but i couldn't :( maybe someone know how to fix it?
Change your port number as it could be used by another service. Change 9999 to something like 3000 or anything.
How do we add this to our exe
It is showing error
Nothing of this is actually working, thats sad and even that you dont tell what kind of extras we need to this is just..... i was joyfull coding and when i tried to run always problems appear and i did it same was as you ...
Calling unsalted sha256 secure is a joke. Lol.
How Can I learn about this top more. ?
fact 😂😂
interesting
Would be safer to salt the password before hashing it
The answer is definitely yes.
Interesting. Comments critical of the security of the techniques posted to this video seem to disappear. Methinks the author is deleting said critical commentary.
He isnt.They all are there.Revisit whole section.
I couldn’t understand how server.py and client.py are related to each other…
client.py sends the information to server.py, server.py then sends the information to the database.
@@temal32 My confusion was that client.py was not imported into server.py and the connection is made through the tcp connection.
@@arielspalter7425 It doesn't need to be. The point of networking is having 2 devices talk to each other. He is doing this, but the 2 computers are the same computer but different applications on the computer. And also, why would server.py need to import client.py? All the applications need to do is connect.
Can you show how to host a socket server for free?
didn't get anything but thank ya)
Thx_.
wow
It looks like hashlib has been deprecated now
nope
Hashlib was yanked bruh
1st one bro
wtf just happened?
This is what happened every time you use the website to register and later login.
Yes first😅
It just seems like your teaching yourself..your a bad teacher
1st comment
First?
Client didn’t work. Just says
_AttributeError: module ‘socket’ has no attribute ‘connect’_
Does it have something to do with the server number? I hate this computer ish for this very reason but I want to learn it so I’m not at such a disadvantage moving. I know once it clicks I’ll be golden.