Python for Entrepreneurs Transcripts
Chapter: Course Conclusion
Lecture: Lightning review: Accounts
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
People create accounts at our site so we're going to model this as an account class in sqlalchemy,
0:09
and I think most of this is pretty straightforward, what's your id what's your email address, do they have a name are they a super user,
0:15
but the most important takeaway from this section was you must not store your passwords as plain text, you must hash them.
0:23
Very bad things like being featured on the front page of CNN saying you know, a hundred million accounts were leaked type of stuff happened,
0:32
if you don't pay attention here. So be very careful about this. How do you go about this hashing? We could create an md5 hash and hash it ourselves,
0:43
that's not a good choice, not really at all for md5, you could pick a better hashing algorithm, but what we saw was
0:50
actually passlib really takes all those best practices and bundles it up into like a single function call.
0:57
So install the library passlib and we're going to use sha512 cryptographic hash
1:02
there's other ones you can pick from, but everyone that they make available to you is one of the recommended ones,
1:10
then all we have to do is say sha512 encrypt and give it the plain text and how many times you want it to iterate it, so what does that mean?
1:19
Well it means it's going to go around and around not hashing it once, but taking the result hashing that, taking the result hashing that
1:25
and mixing all along the way. So we start with our password, and we say hash it, hash it, hash it,
1:31
until after a hundred and fifty thousand times of doing that, we get something that is not just a little bit hard to guess
1:37
but extremely hard and computationally difficult to guess. Passlib makes all of this best practice one function call
1:45
that is super easy to understand so you should definitely do this. Alright, then all we have to do to verify this is get that back
1:52
and say verify here's the plain text password the user typed in and this thing we stored in the database, that's here In the comments
1:59
and it will verify that everything works. Notice that even stores the number of rounds so you can increase this over time for your new users
2:06
and your old users will still use the hundred fifty thousand.