Use THIS For More SECURE Password Handling In Python

Actually you should never compare plain text passwords cause this is the true security risk

Eldad.K

You shouldn’t store passwords in plaintext in the first place💀

viinisaari

I promise you no beginner who doesn't already know what you're talking about is going to understand this. What even is a timing attack?

victorajayi

I like the part where he explains timing attacks

yarikpetrenko

Someone who knows what a timed attack is, will also know how to compare passwords. Conversly someone who doesnt know how to hash or check passwords wont know what timed attack is

killereks

A timing attack is when you time a fart when you are leaving the elevator knowing there’s at least 10 more people with 10+ floors left

silverbackproductions

in fact, dont even use your own authentication service in python. for most applications, you're probably better off looking for something like Firebase Auth which supports signing in through not only email and password but also Google, Microsoft, and various other providers.
cryptography is only going to get more and more complicated, and updating old code to meet higher security standards should be avoided in most software engineering environments.

i could maybe see a purpose if you need something to enter a password offline, assuming the password is hashed and salt/pepper etc (NOT LITERAL LIKE THE VIDEO). it is super easy to find character strings in code, anyone with binary ninja will be able to figure it out

basilicon.

Anybody who saves passwords in plaintext needs their computer taken away.

kerimgueney

you cant be sure about the timing over a network. it is true for closed circuit systems though. Not to mention all the passwords in modern web apps stored in hash so the length would be equal

gordonfreimann

Easy fix: delay 3 seconds before returning an “invalid username/password” indication. That slows down password-guessing attacks, and should totally bugger up timing attacks as a nice side-effect.

lawrencedoliveiro

Or you can just use a hashlib, and compare hash of input and hash of your password

misterCon_

Most of the batteries included features that are documented declare much of it unsecure

fenderrexfender

In most cases you don't have the password, but only a md5 hash of the salted password, salted means something has been added to the password to make identical password appear as different in the database. It could be the unique identifier of the user that is added with the password, and then it gets converted using md5 hash. Md5 hash cannot be reversed, meaning you cannot get the original password from the hash value.

casper_hansen

Just wanna say that beginners, who are likely the one’s who need this, might be confused about the == being connected, thinking it is a different operator.

XxRadHatterxX

If you are taking security tips from shorts you need to rethink you career choices

leonardschungel

Give us examples on timing attacks please

salah

i love the part where he explained what a timing attack is or why using compare_digest is better

pinheadlarry

That's same level of security but inefficient

hashtag

A better suggestion would be to avoid handling passwords if you're a beginner in the first place.

ChilledfishStick

Do not store passwords as they are, always hash them, this is the real security risk

yairkaz