MongoDB with Async Python Transcripts
Chapter: PyPI Beanie
Lecture: Setting the User's Password

Login or purchase this course to watch this video and the rest of the course contents.
0:00 So super close to being done with our CLI app, and this is going to actually be something we can reuse throughout all of our applications that we build, like for example the FastAPI part.
0:11 All the questions and answers we're trying to get here are things that we'll be able to use over there as well.
0:17 So the last thing to do in our create user here is, you know, not give them none for a password hash, and also don't store their password directly.
0:27 So what do we do? Well, I could say MD5 of their password. That would be terrible.
0:35 You want to store the hash of their password in a way that has what's called salt. That is a unique bit of text plus the actual password.
0:44 So if somebody has a set of pre-computed hashes like this word hashes to that and this word
0:49 hashes to that, mixing in this salt means there's no way to compare them in that sort
0:55 direct lookup style, okay? And you want to make sure that they're computationally hard to guess.
1:01 So instead of hashing at once, you want to take a hash, and then take that result and hash it again
1:06 and fold it over and over many, many times. So that is hard to guess with. Ideally, if you could,
1:13 you would also like to make it hard to use GPUs to crack these as well. So what we're going to use
1:18 is we're going to use this library called passlib. passlib is fantastic. And we're going to use the
1:24 Argon cryptographic hash out of it. So let's give an adder's requirement. So be pass lib.
1:31 Now remember, you don't have to follow these steps to generate an updated TXT because you'll
1:38 have it but I'm just showing you the steps in case you want to kind of use this pip tools style.
1:42 So what we're going to do here is we're going to say pip tools. pip compile, sorry, pip compile.
1:51 Take this requirements as an input and say upgrade whatever is there. We go and look at the changes for the requirements.txt. What do we get?
2:03 Let's see, we added passlib directly. Anything else? No, nothing else was upgraded.
2:10 Potentially with that upgrade, you know, there was a release of Beanie that would have also been incremented over there, but it wasn't.
2:17 So this is going to be and pass lib while we're sitting here. Now we need to install it. Of course you could just click this,
2:27 but if you're not using PyCharm, you just pip install -r requirements. There it goes, excellent.
2:34 So give it a moment and PyCharm will become happy again. So up at the top, let's put, oops, let's put our crypto handler up there
2:44 and I'll put it at the very, very top. And also put this article here about why Argon 2 versus other things, you can look at it, it just says,
2:52 how expensive is it to crack a password drive with Argon 2? Very, this is good, this is really good.
3:00 So it won the password hashing competition and so on, really good stuff, all right. So what we're gonna do is down here,
3:08 instead of doing this, we're gonna take their password and we're gonna use passlib, And up here, notice I imported argon2 as crypto.
3:19 So we're just gonna say crypto. What do we wanna do? We want to encrypt their password. And that's it. And later, if we want to verify it,
3:32 we would say if crypto verify, the secret is the real password and the encryption would be the hashed password that we get back out of the database.
3:42 So like user.hashpassword. That would be the test we did do to see if they entered the right one later,
3:48 but we're not testing it now, we're just saving it, right? Let's go create one more user. Oh, one other thing.
3:55 Up here at the top, that's where we're doing our argon, and I'll put this. We're going to go and say, I talked about that folding,
4:04 take the output, do it again, take the output, do it again. For this particular algorithm, doing it 25 times is around 200 milliseconds of work.
4:14 That seems like a good amount. Yeah, that's right over there. So that's a good amount of work. It's not so long that it takes forever to log in
4:22 or kill your server, but it's not so short that people can just hit it with a bunch of parallelism and get the answer, you know, crack it right away.
4:30 All right, let's go ahead and create a user. One more user. We're gonna create Sarah.
4:38 Now Sarah's password, she's way more password sensitive and conscious than I am. She's going to use three letter A's, not just the one like I do.
4:47 She's serious about security. She lives in Tennessee in the US. Oh, looks like I forgot to run one more install. Let's do that real quick. [no audio]
5:09 Try again. It doesn't come with all the back-end computation for the different algorithms. You've got to add those separately.
5:16 Again, highly security conscious. NSE, US. Did you notice that little bit of a lag there? That was that 200 milliseconds of We're thinking really hard,
5:27 So if anyone else tries to replicate this, they also have to think really hard. And let's just go find her by email in the database.
5:36 There it is. And remember, she used the letter A three times. Look at her password here.
5:41 So argon2 stores what algorithm was applied, what version of that algorithm, some other startup data, how many foldings go through,
5:52 and then it has the salt and then this huge cryptographic thing over here.
5:59 All of that from the letter A and it's incredibly hard to guess. Okay, so super, super cool.
6:05 And now we're storing our passwords safely. I know it's not really part of the course that we're
6:11 creating users safely. So we're not going to go too much. We're not going to talk about this anymore,
6:16 basically. But I did want to show you like, look, if you're putting users into MongoDB,
6:21 You really need to do one-way hashes on things like their password or other stuff you want to verify,
6:28 but not even we can decrypt this. We can just say, given the password again, the three letter A's,
6:34 does it match, right? That crypto.verify. That's all we can do. So really, really excellent.
6:41 Highly recommend PassLib as one of your options for this kind of stuff.


Talk Python's Mastodon Michael Kennedy's Mastodon