Broken Authentication

Insecure Password Storage in Python

Vulnerability: Insecure Password Storage

Vulnerable Code:

pythonCopy codeimport sqlite3

password = input("Enter your password: ")
conn = sqlite3.connect('users.db')
cursor = conn.cursor()
cursor.execute("INSERT INTO users (username, password) VALUES (?, ?)", (username, password))
conn.commit()
conn.close()

Reason for vulnerability: Passwords are stored in plain text, making them easily accessible if the database is compromised.

Fixed Code:

pythonCopy codeimport sqlite3
import bcrypt

password = input("Enter your password: ")
hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
conn = sqlite3.connect('users.db')
cursor = conn.cursor()
cursor.execute("INSERT INTO users (username, password) VALUES (?, ?)", (username, hashed))
conn.commit()
conn.close()

Reason for fix: Using bcrypt to hash passwords before storing them ensures that even if the database is compromised, the passwords are not easily recoverable.

PreviousBroken Access Control NextCommand Injection

Last updated 1 month ago