@@MrEnder0001Technically yes, but if you use a good hashing algorithm, it will almost never happen in practical use. Good algorithms make it take years and years of computing time to find two inputs with a matching hash, so there's no major security risk.
@@XYZaffair0 but good in the sense of security isn't necessarily good in general. If the algorithm is too good, it might take too long to compute the hash.
Yes, if two people have the same password, it will produce the same hash. You should also include a salt, unique to the user to prevent two users having the same hash and prevent rainbow attacks on the hashes. Also, you should only use hashing algorithm specifically made for passwords to store password in (for example, argon2, bcrypt). Storing a password in a hash like SHA256 or even worse, MD5, can be cracked very quickly.
@@Violet-jg5oh You can still make everything from scratch tho. Libraries in general are preferred because they are tested and generally faster. They take care of the implementation. So that you, for example, don't have to implement TCP/IP with Sockets to make a "Hello World" API
He's talking about it being echoed while typing, the visual feedback. getpass avoid this by leaving it blank (so someone behind can't see what you're typing). Printing it is just an example, to show that the password is indeed being captured
@@uKaigo It's not so much about the person behind you. Malware could very easily insert a reverse proxy into your stdin. Being able to read everything that the console prints and sent it somewhere else. That's why your SUDO password works just like this for example
He's saying use one built in function instead of another one for this specific use case. Getpass is a built in module, it's not an external library... Regardless, it's not a good idea to implement your own password handling unless you have a deeper understanding of security. Better to use pre-existing code that's been developed with more security
@@iahDude absolutely. Specially taking into account that this type of behavior form the terminal is generally platform dependant. So it's cool to not have to worry about it
thought this was going to be "pwd is a built-in function, and naming a variable it here prevents you from using it later on and can mess up uses of it in this scope"
30 years ago I developed a code in GW BASIC which hides the input replacing it with star symbol everytime you hit the key. Those are true days of programming ;P
What are you talking about? This is not a password for an API or a Web Service. The program already knows what the password SHOULD be. This is about not leaving said password hanging in the stdin/out (Standard Input/Output) of your machine
That still documents the length of the password. Making brute forcing exponentially easier. For critical information you should give the least amount of information. That's why 'sudo' for example gets your password this way
Probably VSCode. But if you really are a beginner I would recommend doing as much as you can by hand without autocomplete and such. Will help you learn a lot faster by making it easier to make mistakes. Since mistakes are the best way to learn
Just make an str subclass then override the str and repr dunder to return None or "****". This will prevent value conversion by str() and repr() but keeping the actual value remains the same.
The characters will still appear on screen when you call the input function. Which is what what getpass actually does. It, well, GETs the PASSword from stdin without echoing it Pretty clever idea, but it does NOT solve the issue
It is good info tho. And actually getting input without aid input being on the screen is actually not trivial to implement in Python. And it's also platform dependant. So it makes sense why such a library exists
@@sebastiangudino9377 I know why this library exists and I think people should use it if they need to but this is still a bad tutorial because it doesn't actually teach the viewer anything.
@@alarii2582 It's not a "Library" in the sense that it is part of the standard. The video is just teaching that instead of using input (A function that comes from the language) if you are dealing with passwords it is better to use getpass (Another function that comes with the language). Swaping one function for another makes your program more secure. While not groundbreaking, i think that's pretty useful to know for beginners. Specially since, again, this function is not easy to implement by yourself
@@Indently I was wondering about that too. No need to re-invent the wheel of course, but studying the invention of the wheel can bring some great ideas. I want to see how this is done without importing a module. This also applies for the other shorts, I think people will learn a lot if at the end you explain inner workings of the module that was imported.
This is why I'm becoming a fan of signing with Google instead. There I know my password is not getting anywhere near the shady websites, instead is safely stores inside the servers of a shady company
getpass module doesn't have that functionality, so you need to use another module, such as pwinput. Remember that printing asterisks can be a bad idea, since it will show the password length & can be used to speed up password cracking by hackers. So don't use it for any critical purpose.
I would think they get password would Ask the user to enter the password twice since it’s not a code on the screen there’s a chance for mistakes if they only type at once.
I can barely type my password correctly in once when logging in to any of my accounts (seriously, my password is more complicated than a UUID4 ID), if any system asked me twice to enter my password, I would never make it anywhere 😅 But what you're saying makes sense for e-mails, but for passwords, if they get it wrong you tell them to try again and decrement the attempt count.
@@Indently sure I get that but I figured the code was to create a new account or some type of connection. At least that’s my usual case and I ask for new passwords twice.
There is nothing "wrong" with it. It runs fine and you specified no requirements at all. Your preference does not make a thing wrong. An engineer knows that.
@@朋友是一个坚韧不-h8d as Ibrahim typed under some other comment - you can create your own but you really have to know what you are doing if you want this to be secured. It is better to use already existing security functions that are verified.
the first response with the typed chars - so it reveal the password in console - the second don't echo the chars - so there is no way to see the password while you typing the print statement is there only to show that the second function gets also the password
@@Indently Don't worry I didn't mean to sound rude (even though I did a bit) but the introduced problem is more of something for people that already have some knowledge in python. Now you could either make such an input funcion by yourself or explain what getpass() really does more detailed. I think that way more people learn something new :) Btw I highly appreciate people explaining coding and making it more accessible for the general population. I think it's important that people know what their used functions do instead of just copying them from stack overflow. On work I saw way too many people doing this.
@@matteodorighelli6133The thing is that getpass is impelentation dependant. It uses features specific to the terminal of the given platform. You could also just do it using c and functions like getch (Which ARE impelentation dependent as well lol). This is a video that shows a solution to a simple problem using a feature of the language (It's not even a "library" it's part of the standard library of the python language. I think is clearer to say that the getpass function that solves this problem is located on the getpass namespace in the standard library)
It won’t work in the default Python REPL, which will never be used as a way for end users to access an application because it hands over complete control of the python environment. I don’t believe there is any solution that would work in the REPL and be cross platform, which is a pointless problem to solve anyways.
It's also good to store the password as a hash instead of the actual string.
Could there be multiple passwords with the same has though?
@@MrEnder0001Technically yes, but if you use a good hashing algorithm, it will almost never happen in practical use. Good algorithms make it take years and years of computing time to find two inputs with a matching hash, so there's no major security risk.
@@XYZaffair0 but good in the sense of security isn't necessarily good in general. If the algorithm is too good, it might take too long to compute the hash.
that was the first thing i noticed
Yes, if two people have the same password, it will produce the same hash. You should also include a salt, unique to the user to prevent two users having the same hash and prevent rainbow attacks on the hashes. Also, you should only use hashing algorithm specifically made for passwords to store password in (for example, argon2, bcrypt). Storing a password in a hash like SHA256 or even worse, MD5, can be cracked very quickly.
How to make facebook?
from facebook import facebook
facebook()
😂
yes
Exactly hahah
@@Violet-jg5oh who is forcing you to use the libraries
@@Violet-jg5oh You can still make everything from scratch tho. Libraries in general are preferred because they are tested and generally faster. They take care of the implementation. So that you, for example, don't have to implement TCP/IP with Sockets to make a "Hello World" API
"can you spot whats wrong with this code?"
HE PUT A SPACE BEFORE THE COMMA MY OCD
you would hate me
no he didn't?
@@floral1474at the start of the short
you have to separate the words so a space is good
@@mariomicco5996 But this line inserts 2 spaces:
print("You typed: ", pwd)
Another good measure is using a separate module to get the password then use getters to access it if necessary.
Bro named his variable "print working directory"
PassWorD, pwd. P in pass, W in word, D in word
LOL i also though that
For the better part of a decade I thought pwd meant present working directory… my mind is blown.
I think I’m misunderstanding something here. If you don’t want to echo the password, just don’t print out what you’ve input??
He's talking about it being echoed while typing, the visual feedback. getpass avoid this by leaving it blank (so someone behind can't see what you're typing).
Printing it is just an example, to show that the password is indeed being captured
@@uKaigo ohhhhh that makes sense. Mind you, I watched this in the middle of the night so I was not comprehending what was being said lol
@@atomicspartan131 can relate lol
the important part is the input code - the output is just to show you that it still gets the password from the user with the other code
@@uKaigo It's not so much about the person behind you. Malware could very easily insert a reverse proxy into your stdin. Being able to read everything that the console prints and sent it somewhere else.
That's why your SUDO password works just like this for example
why should you write passwords to standard output at all in the first place
If you are building some command line tool
Have you really never executed a command as sudo?
I immediately knew how to bypass that password check
how?@@nothingnothing1799
“What’s wrong with this code?” then says “use ___ library” 😂
"oh so you made pong from scratch?"
"stoopid, use import pong"
He's saying use one built in function instead of another one for this specific use case. Getpass is a built in module, it's not an external library...
Regardless, it's not a good idea to implement your own password handling unless you have a deeper understanding of security. Better to use pre-existing code that's been developed with more security
@@iah Thanks for the clarification! Hope this helps anyone! :)
@@iahDude absolutely. Specially taking into account that this type of behavior form the terminal is generally platform dependant. So it's cool to not have to worry about it
"Can you spot what's wrong with this code?"
Me: he put the space in the string and then the comma, but the default value for sep is " ".
thought this was going to be "pwd is a built-in function, and naming a variable it here prevents you from using it later on and can mess up uses of it in this scope"
Nice tip. Tho preventing this issue is kinda the point of namespaces
30 years ago I developed a code in GW BASIC which hides the input replacing it with star symbol everytime you hit the key. Those are true days of programming ;P
well proper way is to use a database and query it. simply connect your code using a stored procedure with some arguments to pass.
What are you talking about? This is not a password for an API or a Web Service. The program already knows what the password SHOULD be. This is about not leaving said password hanging in the stdin/out (Standard Input/Output) of your machine
There is nothing actually wrong with the code.
If you’re learning how to do password security from a RUclips short you have no business asking for someone’s password
Great👍 I got to learn something new
Me, a C++ programmer: *interesting...*
Brother how would you record shorts with figure windows in it?
I also don't like the variable being named pwd cause in terminal window that will print your working directory.
You could also use maskpass
Why is echoing the password bad? It kinda pisses me off when programs DONT show me what im typing
What does echo means ?
ok but i didnt see this on the school powerpoint
Can you replace the blanks by dots just like when type passwords in sites
That still documents the length of the password. Making brute forcing exponentially easier. For critical information you should give the least amount of information. That's why 'sudo' for example gets your password this way
Whats a good Python code editor for a beginner?
Probably VSCode. But if you really are a beginner I would recommend doing as much as you can by hand without autocomplete and such. Will help you learn a lot faster by making it easier to make mistakes. Since mistakes are the best way to learn
How about echoing a * in place of .
I forgot what the module was called, but once I did use a python module that I could use to mask input with whatever I wanted.
@@jakedeschamps4454it is pwinput
Just make an str subclass then override the str and repr dunder to return None or "****". This will prevent value conversion by str() and repr() but keeping the actual value remains the same.
For more context, the print() function will try to access the str dunder then the repr one if not exists.
The characters will still appear on screen when you call the input function. Which is what what getpass actually does. It, well, GETs the PASSword from stdin without echoing it
Pretty clever idea, but it does NOT solve the issue
@@sebastiangudino9377 oh, I see. It's similar to msvcrt.getch.
What font are you using
>Just use this library lol
I know this meant for beginners but the only useful information in this video is that you shouldn't echo passwords
It is good info tho. And actually getting input without aid input being on the screen is actually not trivial to implement in Python. And it's also platform dependant. So it makes sense why such a library exists
@@sebastiangudino9377 I know why this library exists and I think people should use it if they need to but this is still a bad tutorial because it doesn't actually teach the viewer anything.
@@alarii2582 It's not a "Library" in the sense that it is part of the standard. The video is just teaching that instead of using input (A function that comes from the language) if you are dealing with passwords it is better to use getpass (Another function that comes with the language). Swaping one function for another makes your program more secure.
While not groundbreaking, i think that's pretty useful to know for beginners. Specially since, again, this function is not easy to implement by yourself
It should be common sense. There's also typically a bigger process for encrypting password. Atleast for secure applications.
"can you spot whats wrong with this code?"
there are no semicolons
Is this the first time you see Python? JavaScript is going to blow your mind then 😉
@@Indently python is the definition of mistake 😂
why?@@catthebutcher9438
Is there a way to implement this in pure python?
Could you be more specific? Everything I showed in the video was provided by vanilla Python.
@@Indently Oh, I meant the package. How does it work?
@@Indently I was wondering about that too. No need to re-invent the wheel of course, but studying the invention of the wheel can bring some great ideas.
I want to see how this is done without importing a module.
This also applies for the other shorts, I think people will learn a lot if at the end you explain inner workings of the module that was imported.
@@hak0bu that's false. Pandas is mainly written in C.
@@hak0bu nope the vast majority is written in a lower level language, mostly C
Bro,,, how to install turtle library in phone
I thought you were talking about not checking against sql injections. I was way overthinking it 😄
This is not connecting to a db. This is for local programs. Well, for password input in general, regardless of where the information is stored
You heard the terminal! Subscribe my bois
I registered for a forum and it sent me my password and username is clear text in an email
A one time password?
@@alext5497 no it was what i set it as
@While you were reading this I stole your sandwich and donated it to a kid in africa time to change your passwords and don't use that site
@@alext5497 oh it was a throwaway account anyways the password i set was obamafucker69 or something i dont use the same password for everything
This is why I'm becoming a fan of signing with Google instead. There I know my password is not getting anywhere near the shady websites, instead is safely stores inside the servers of a shady company
What theme is this
also if this is true and no bs to be able to invoke commands from a print function is not a good argument for python i guess
What do you even mean by "Invoking commanda from a print function"?
Thanks very useful
What's wrong? You didn't use an f string, why would someone do that
how could we use * when someone typed password
i thought the same: would be nice to print star for every typed char
getpass module doesn't have that functionality, so you need to use another module, such as pwinput.
Remember that printing asterisks can be a bad idea, since it will show the password length & can be used to speed up password cracking by hackers. So don't use it for any critical purpose.
@@puspamadak 99% of us will used it for some dumb app
heeeey, I'm named Federico!
I would think they get password would Ask the user to enter the password twice since it’s not a code on the screen there’s a chance for mistakes if they only type at once.
I can barely type my password correctly in once when logging in to any of my accounts (seriously, my password is more complicated than a UUID4 ID), if any system asked me twice to enter my password, I would never make it anywhere 😅
But what you're saying makes sense for e-mails, but for passwords, if they get it wrong you tell them to try again and decrement the attempt count.
@@Indently sure I get that but I figured the code was to create a new account or some type of connection. At least that’s my usual case and I ask for new passwords twice.
If it's a new password, I understand :)
There is nothing "wrong" with it. It runs fine and you specified no requirements at all.
Your preference does not make a thing wrong. An engineer knows that.
print(f"You type: {pswd}" was too easy?
Can we implement it without import any packages?
Yeah write yours. It's really easy
Getpass is built into python, it's not from pip or anything
@@iah i know, just curious about possibility of implement own Getpass without import any package
@@朋友是一个坚韧不-h8d as Ibrahim typed under some other comment - you can create your own but you really have to know what you are doing if you want this to be secured. It is better to use already existing security functions that are verified.
It's written in Python
Nah, I'd rather use raw input from STDIN. xD
What does it mean that the password gets echoed?
The characters appear on screen as you type them
Don't do this either. Instead watch Tom Scott's computerphile video about why you should never code your own password form
Ide?
It’s not wrong.. you just should not do it like that.
whats wrong with this code? its python
I'm sure you could make a better programming language over a 3 week holiday
Good job
Whats wrong use a f string
so nothing was wrong with the first code
... why would you be printing out a password?
Yes, ignore the valuable part of the video and concentrate on printing the password for demonstrational purposes
hi
Hello
What app is this in?
RUclips lol
@@sebastiangudino9377 XD
Anyone tell me the font
Good thing to know
getpass is a function, not a method.
Cool
What the difference between those methods?😊
the first response with the typed chars - so it reveal the password in console - the second don't echo the chars - so there is no way to see the password while you typing
the print statement is there only to show that the second function gets also the password
its pawwada not password
😂 why not just set the text color to background color to hide text on any terminal
Because it becomes visible after highlighting it with your mouse.
Get pass is good
But my dad got 115 but i got 126 😊
Nothing is wrong with the code, the approach is bad
Better use Java
Day 17 asking what IDE is he using
PyCharm
It's the macbook's ide
Just use this library for a problem is not really creative content.
Thanks for the feedback!
@@Indently Don't worry I didn't mean to sound rude (even though I did a bit) but the introduced problem is more of something for people that already have some knowledge in python. Now you could either make such an input funcion by yourself or explain what getpass() really does more detailed. I think that way more people learn something new :)
Btw I highly appreciate people explaining coding and making it more accessible for the general population. I think it's important that people know what their used functions do instead of just copying them from stack overflow. On work I saw way too many people doing this.
@@matteodorighelli6133The thing is that getpass is impelentation dependant. It uses features specific to the terminal of the given platform.
You could also just do it using c and functions like getch (Which ARE impelentation dependent as well lol).
This is a video that shows a solution to a simple problem using a feature of the language (It's not even a "library" it's part of the standard library of the python language. I think is clearer to say that the getpass function that solves this problem is located on the getpass namespace in the standard library)
shame on you for not using types!
I would love to use them 100% of the time, but they don't fit on the screen in shorts :)
@@Indently Are you Italian? I am and I've only heard "Federico" in italy
Python bad
😂😂😂😂
The waffle house has found its new host
The Waffle House has found its new host
import solution
The waffle house has found it's new host
So how to fix it:
1. Just use this library that was made for this
2. It won't work everywhere, but i guess it's better
Lol, no
It won’t work in the default Python REPL, which will never be used as a way for end users to access an application because it hands over complete control of the python environment. I don’t believe there is any solution that would work in the REPL and be cross platform, which is a pointless problem to solve anyways.