Hey everyone! Part 1 explained encryption. Now let's secure passwords.
The Problem: Plain Text Passwords
In my first version, I stored passwords like this:
if user and user.password == p_word:
# LOGIN
This is TERRIBLE because:
- If database leaks, everyone's passwords exposed
- No hashing = no protection
- One breach = account takeover
The Solution: Werkzeug Password Hashing
Use werkzeug.security to hash passwords:
Registration:
from werkzeug.security import generate_password_hash
hashed_password = generate_password_hash(password)
user = User(username=username, password=hashed_password)
db.session.add(user)
db.session.commit()
Login:
from werkzeug.security import check_password_hash
user = User.query.filter_by(username=username).first()
if user and check_password_hash(user.password, password):
session['logged_in'] = True
# USER LOGGED IN
Why This Works
- Passwords are hashed (one-way)
- Hash can't be reversed
- Even if leaked, passwords stay safe
- Industry standard
- Built into Flask ecosystem
What I Learned
Passwords must NEVER be stored in plain text. Ever.
Part 3 Coming
File uploads and validation.
Questions? Drop them below!
Top comments (0)