Broken Authentication

Insecure Password Storage in Python

Vulnerability: Insecure Password Storage

Vulnerable Code:

pythonCopy codeimport sqlite3

password = input("Enter your password: ")
conn = sqlite3.connect('users.db')
cursor = conn.cursor()
cursor.execute("INSERT INTO users (username, password) VALUES (?, ?)", (username, password))
conn.commit()
conn.close()

Reason for vulnerability: Passwords are stored in plain text, making them easily accessible if the database is compromised.

Fixed Code:

pythonCopy codeimport sqlite3
import bcrypt

password = input("Enter your password: ")
hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
conn = sqlite3.connect('users.db')
cursor = conn.cursor()
cursor.execute("INSERT INTO users (username, password) VALUES (?, ?)", (username, hashed))
conn.commit()
conn.close()

Reason for fix: Using bcrypt to hash passwords before storing them ensures that even if the database is compromised, the passwords are not easily recoverable.

PreviousBroken Access Control NextCommand Injection

Last updated 11 months ago