Python for Entrepreneurs Transcripts
Chapter: Course Conclusion
Lecture: Lightning review: Accounts
0:01 People create accounts at our site
0:04 so we're going to model this as an account class in sqlalchemy,
0:08 and I think most of this is pretty straightforward, what's your id
0:11 what's your email address, do they have a name are they a super user,
0:14 but the most important takeaway from this section was
0:17 you must not store your passwords as plain text, you must hash them.
0:22 Very bad things like being featured on the front page of CNN saying
0:27 you know, a hundred million accounts were leaked type of stuff happened,
0:31 if you don't pay attention here. So be very careful about this.
0:35 How do you go about this hashing?
0:38 We could create an md5 hash and hash it ourselves,
0:42 that's not a good choice, not really at all for md5,
0:46 you could pick a better hashing algorithm, but what we saw was
0:49 actually passlib really takes all those best practices and bundles it up
0:53 into like a single function call.
0:56 So install the library passlib and we're going to use sha512 cryptographic hash
1:01 there's other ones you can pick from, but everyone that they make available to you
1:05 is one of the recommended ones,
1:09 then all we have to do is say sha512 encrypt
1:12 and give it the plain text and how many times you want it to iterate it,
1:16 so what does that mean?
1:18 Well it means it's going to go around and around not hashing it once,
1:21 but taking the result hashing that, taking the result hashing that
1:24 and mixing all along the way.
1:26 So we start with our password, and we say hash it, hash it, hash it,
1:30 until after a hundred and fifty thousand times of doing that,
1:34 we get something that is not just a little bit hard to guess
1:36 but extremely hard and computationally difficult to guess.
1:40 Passlib makes all of this best practice one function call
1:44 that is super easy to understand so you should definitely do this.
1:48 Alright, then all we have to do to verify this is get that back
1:51 and say verify here's the plain text password the user typed in
1:55 and this thing we stored in the database, that's here In the comments
1:58 and it will verify that everything works.
2:01 Notice that even stores the number of rounds
2:03 so you can increase this over time for your new users
2:05 and your old users will still use the hundred fifty thousand.