Home/ Questions/Q 8076075
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T15:11:14+00:00

I’m working on a small uni project where I have a program for a

  • 0

I’m working on a small uni project where I have a program for a single user in Python using the tkinter module. I want create a screen where they will be required to enter their password. I’m not sure how to do this and where would I store the password?

I have no experience in database but I’ve heard of MD5 & SHA256 and I was thinking of writing the hashed or encrypted password to a text file and then reading it but I am not sure if this is safe.

The password functionality is to prevent others from looking at the users’ personal diary entries.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This answer takes the simplest route in achieving a measure of security. @J.F.Sebastian points out in comments that you can definitely explore more robust security procedures with greater encryption, but this really depends on your needs

    If your goal is just to experiment and create a proof-of-concept login system, you can just go with the encryption + flat file approach. For storing a password, you probably only need SHA1 since what you are encrypting is a variation of the password, and not sensitive data itself. What I mean is that you don’t care about the data itself. You only care about comparing encryption results…

    First you would pick a secret character set as a “salt”. Unfortunately you are using an uncompiled language, so your salt will probably live within your program. But at least the password files by themselves are not useable. (“salt” is being used here as your only secret value. In a more secure approach, the secret would be a separate key used outside of the hashing of the password+salt)

    import hashlib
salt = "-WOu@p.Za,>W+6&`A63/"
user_password = "password"
sha1 = hashlib.sha1()
sha1.update(user_password + salt)
encrypted = sha1.hexdigest()
print encrypted
# 476dc4076d1c7eb43152b78e9dc20d892f660f24

    You can store that encrypted sha1 value to a file. Its of no use to anyone without the secret salt value. All you will do is use this value to compare against the future sha1 value when a user authenticates

    test_sha1 = hashlib.sha1(raw_input("Enter password: ") + salt).hexdigest()
# Enter password:  password
print encrypted == test_sha1
# True

    You never actually know their password. You only know the sha1 value derived from it plus the salt. Think of it like two guards each needing to provide a key, turned simultaneously, to open the vault.

    Otherwise…. you can store this in a database, along with the salt value. The procedure would still be the same but you move the salt to a more secure location that requres auth to even query it. No matter what, your salt secret is the most prized possession.

    Addressing the SHA256… Greater encryption algorithms are needed for the act of storing the real data in a tangible format that needs protection (or when creating a slower hashing process for your passwords to make brute force cracking take longer to accomplish). For instance, if you decided to store a users private diary entries, you might encrypt against their password, and only store this encrypted format either on disk or in a database. When the user authenticates, you can deliver to them the decrypted data by way of their password. You never store the password, so even you as the author of the software can’t access their data without their original password.

    Again, as @J.F.Sebastian points out, the more robust approach would be using a bcrypt library:
    http://www.mindrot.org/projects/py-bcrypt/

    • 0