Getting error while encrypting password using Python

Question

I am getting the following error while encrypting the password using bz2 module using Python. Here I am saving that encrypted value inside DB.

Error:

ProgrammingError at /signsave/
You must not use 8-bit bytestrings unless you use a text_factory that can interpret 8-bit bytestrings (like text_factory = str). It is highly recommended that you instead just switch your application to Unicode strings.
Request Method: POST
Request URL:    http://127.0.0.1:8000/signsave/
Django Version: 1.11.2
Exception Type: ProgrammingError
Exception Value:    
You must not use 8-bit bytestrings unless you use a text_factory that can interpret 8-bit bytestrings (like text_factory = str). It is highly recommended that you instead just switch your application to Unicode strings.

Here is my code:

def signsave(request):
    """This function helps to save signup data"""

    if request.method == 'POST':
        name = request.POST.get('uname')
        password = request.POST.get('pass')
        con_pass = request.POST.get('conpass')
        new_pass = bz2.compress(password) 
        if password == con_pass:
            passw = User(
                uname=name,
                password=new_pass,
                raw_password=password,
            )
            passw.save()
            message = "Registered successfully"
            return render(request, 'bookingservice/login.html', {'msg': message})
        else:
            message = "The password did not match "
            return render(request, 'bookingservice/signup.html', {'msg': message})

Here when I am trying to save the encrypted value those errors are coming.

bz2 is a compression algorithm not an encryption algorithm. The passwords are effectively still stored in plaintext. — JeffUK, Jul 10 '17 at 12:23
I think the problem is mostly that you use bz2 to compress (not encrypt) password. Passwords are usually hashed, then salted instead. This is a "destructive" process, as in once the password is processed, you can check easily if another input matches the password, but it is close to impossible to recover the password. Compression is a definitive no, encryption could be ok, hashing + salting is the recommended way — Anthony Rossi, Jul 10 '17 at 12:30
@AnthonyRossi "hashing, then salting" is no longer sufficient. This is not secure, **do not do this**. — zaph, Jul 10 '17 at 14:26
Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `Bcrypt` or similar functions. `PBKDF2` is the NIST approved method for password verifiers. The point is to make the attacker spend a lot of time finding passwords by brute force. — zaph, Jul 10 '17 at 14:27

score -1 · Answer 1 · answered Jul 10 '17 at 12:34

-1

You shouldn't use bz2 for anything but compression. Use built-in hashlib module instead.

Replace bz2.compress(password with hashlib.sha256(str.encode(password)).digest(). You'll get a SHA256 hash of your password string, which you can check against other string's hashes, proving their validity.

answered Jul 10 '17 at 12:34

Oleksii Filonenko

1,551
1
17
27

This is **not secure**, do not do this. Just using a hash function is not sufficient and just adding a salt does little to improve the security. See the comment to the question for more information. – zaph Jul 10 '17 at 14:21

Getting error while encrypting password using Python

1 Answers1