Re: django.contrib.auth user password decryption

2009-04-06 Thread Joshua Partogi 

I was about to do that. :-D

But after thinking about it, I didn't do that.

Thanks guys

On Apr 5, 6:51 pm, soniiic  wrote:
> I hope that doesn't mean storing the real password in a table in the
> database :)
>
> On Apr 4, 11:12 pm, Joshua Partogi  wrote:
>
> > On Apr 4, 11:49 pm, Masklinn  wrote:
>
> > > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
>
> > > > Dear all,
>
> > > > I already take a look at the django.contrib.auth.models but could not
> > > > find any methods for decrypting the user password.
>
> > > > Sometimes we need to get the real text password to be sent to user.
>
> > > > What is the best way to do this? Anybody has got an idea?
>
> > > > Thank you very much in advance!
>
> > > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve  
> > > them, and that's exactly the intent (well the intent is not that *you*  
> > > cannot retrieve them, it's that nobody else can). If you need to send  
> > > users their passwords, you have to generate new (random) passwords and  
> > > send them that.
>
> > > Masklinn
>
> > Thanks for the explanation Masklinn. :-)
>
> > I'll find another way to send user their password.
>
> > Thank you very much.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: django.contrib.auth user password decryption

2009-04-05 Thread Mike Ramirez 
On Sunday 05 April 2009 05:39:37 pm Russell Keith-Magee wrote:
> On Sun, Apr 5, 2009 at 6:12 AM, Joshua Partogi  
wrote:
> > On Apr 4, 11:49 pm, Masklinn  wrote:
> >> On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
> >> > Dear all,
> >> >
> >> > I already take a look at the django.contrib.auth.models but could not
> >> > find any methods for decrypting the user password.
> >> >
> >> > Sometimes we need to get the real text password to be sent to user.
> >> >
> >> > What is the best way to do this? Anybody has got an idea?
> >> >
> >> > Thank you very much in advance!
> >>
> >> Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve
> >> them, and that's exactly the intent (well the intent is not that *you*
> >> cannot retrieve them, it's that nobody else can). If you need to send
> >> users their passwords, you have to generate new (random) passwords and
> >> send them that.
> >>
> >> Masklinn
> >
> > Thanks for the explanation Masklinn. :-)
> >
> > I'll find another way to send user their password.
>
> Don't. Ever. Do. This.
>
> You should _never_ store passwords in cleartext, and you should
> _never_ transmit passwords in cleartext. If you think I'm kidding,
> read up on what happened to Reddit.
>
> http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-data
>base
>
> Yours,
> Russ Magee %-)
>

I think that every web designer should read this,

 http://www.owasp.org/index.php/OWASP_AppSec_FAQ

and to address this question specifically:

http://www.owasp.org/index.php/OWASP_AppSec_FAQ#How_can_my_.22Forgot_Password.22_feature_be_exploited.3F

and the following four questions and answers.  

In the end, it also says the same things as Russ does.

Mike
-- 
Arcserve crashed the server again.


signature.asc
Description: This is a digitally signed message part.

Re: django.contrib.auth user password decryption

2009-04-05 Thread Russell Keith-Magee 

On Sun, Apr 5, 2009 at 6:12 AM, Joshua Partogi  wrote:
>
>
>
> On Apr 4, 11:49 pm, Masklinn  wrote:
>> On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
>>
>> > Dear all,
>>
>> > I already take a look at the django.contrib.auth.models but could not
>> > find any methods for decrypting the user password.
>>
>> > Sometimes we need to get the real text password to be sent to user.
>>
>> > What is the best way to do this? Anybody has got an idea?
>>
>> > Thank you very much in advance!
>>
>> Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve
>> them, and that's exactly the intent (well the intent is not that *you*
>> cannot retrieve them, it's that nobody else can). If you need to send
>> users their passwords, you have to generate new (random) passwords and
>> send them that.
>>
>> Masklinn
>
> Thanks for the explanation Masklinn. :-)
>
> I'll find another way to send user their password.

Don't. Ever. Do. This.

You should _never_ store passwords in cleartext, and you should
_never_ transmit passwords in cleartext. If you think I'm kidding,
read up on what happened to Reddit.

http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database

Yours,
Russ Magee %-)

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: django.contrib.auth user password decryption

2009-04-05 Thread Adam N 

A good solution is to reset the password through the screen.

1. Validate the user through some sort of test (secret question or
something).
2. Then send them to a screen where they can reset the password
themselves to whatever they want.
3. Initiate an email to the stored email address notifying of the
password reset (in case an imposter made the change).

It's a little less secure (because of social engineering attacks), but
it's fine for a low security site while still maintaining fundamental
security at the password data level.

Keep in mind the requirement to reset an unknown password really is
for your own good.  Two way encryption of passwords is unsafe both
because somebody can get and use them without the owner even knowing
that they've been compromised and because anybody with the decryption
key (often anybody with access to the codebase) can get passwords.

-Adam

On Apr 5, 4:51 am, soniiic  wrote:
> I hope that doesn't mean storing the real password in a table in the
> database :)
>
> On Apr 4, 11:12 pm, Joshua Partogi  wrote:
>
>
>
> > On Apr 4, 11:49 pm, Masklinn  wrote:
>
> > > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
>
> > > > Dear all,
>
> > > > I already take a look at the django.contrib.auth.models but could not
> > > > find any methods for decrypting the user password.
>
> > > > Sometimes we need to get the real text password to be sent to user.
>
> > > > What is the best way to do this? Anybody has got an idea?
>
> > > > Thank you very much in advance!
>
> > > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve  
> > > them, and that's exactly the intent (well the intent is not that *you*  
> > > cannot retrieve them, it's that nobody else can). If you need to send  
> > > users their passwords, you have to generate new (random) passwords and  
> > > send them that.
>
> > > Masklinn
>
> > Thanks for the explanation Masklinn. :-)
>
> > I'll find another way to send user their password.
>
> > Thank you very much.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: django.contrib.auth user password decryption

2009-04-05 Thread soniiic 

I hope that doesn't mean storing the real password in a table in the
database :)

On Apr 4, 11:12 pm, Joshua Partogi  wrote:
> On Apr 4, 11:49 pm, Masklinn  wrote:
>
>
>
>
>
>
>
> > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
>
> > > Dear all,
>
> > > I already take a look at the django.contrib.auth.models but could not
> > > find any methods for decrypting the user password.
>
> > > Sometimes we need to get the real text password to be sent to user.
>
> > > What is the best way to do this? Anybody has got an idea?
>
> > > Thank you very much in advance!
>
> > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve  
> > them, and that's exactly the intent (well the intent is not that *you*  
> > cannot retrieve them, it's that nobody else can). If you need to send  
> > users their passwords, you have to generate new (random) passwords and  
> > send them that.
>
> > Masklinn
>
> Thanks for the explanation Masklinn. :-)
>
> I'll find another way to send user their password.
>
> Thank you very much.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: django.contrib.auth user password decryption

2009-04-04 Thread Joshua Partogi 



On Apr 4, 11:49 pm, Masklinn  wrote:
> On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
>
> > Dear all,
>
> > I already take a look at the django.contrib.auth.models but could not
> > find any methods for decrypting the user password.
>
> > Sometimes we need to get the real text password to be sent to user.
>
> > What is the best way to do this? Anybody has got an idea?
>
> > Thank you very much in advance!
>
> Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve  
> them, and that's exactly the intent (well the intent is not that *you*  
> cannot retrieve them, it's that nobody else can). If you need to send  
> users their passwords, you have to generate new (random) passwords and  
> send them that.
>
> Masklinn

Thanks for the explanation Masklinn. :-)

I'll find another way to send user their password.

Thank you very much.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: django.contrib.auth user password decryption

2009-04-04 Thread Masklinn 

On 4 Apr 2009, at 15:38 , Joshua Partogi wrote:
> Dear all,
>
> I already take a look at the django.contrib.auth.models but could not
> find any methods for decrypting the user password.
>
> Sometimes we need to get the real text password to be sent to user.
>
> What is the best way to do this? Anybody has got an idea?
>
> Thank you very much in advance!

Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve  
them, and that's exactly the intent (well the intent is not that *you*  
cannot retrieve them, it's that nobody else can). If you need to send  
users their passwords, you have to generate new (random) passwords and  
send them that.

Masklinn

[1] http://en.wikipedia.org/wiki/Salt_(cryptography)
[2] http://en.wikipedia.org/wiki/Cryptographic_hash
[3] you can probably bruteforce them if you have a lot of time and  
computing power to waste, and future SHA-1 breakages might help you  
further, but that's all.

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

django.contrib.auth user password decryption

2009-04-04 Thread Joshua Partogi 

Dear all,

I already take a look at the django.contrib.auth.models but could not
find any methods for decrypting the user password.

Sometimes we need to get the real text password to be sent to user.

What is the best way to do this? Anybody has got an idea?

Thank you very much in advance!

-- 
If you can't believe in God the chances are your God is too small.

Read my blog: http://joshuajava.wordpress.com/
Follow me on twitter: http://twitter.com/jpartogi

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---