0

i am creating a login function and a part of this includes checking a password entered by the user against the password stored in the database.

The problem is, when the password is created during the sign up step, it is stored as an encrypted string using fernet. Now I tried to see if encrypting the password entered by the user with the same key would produce the same encrypted string value as the one in the database, but fernet will create unique strings using the same key on the same plaintext.

What other ways can i check a password entered against its encrypted counterpart in the database?

import sqlite3
from cryptography.fernet import Fernet
key = Fernet.generate_key()
fernet = Fernet(key)

def loginFunc():
  email = input("What is your email: ")
  password = input("what is your password: ")
  #a variable that can be used to save the data from users database
  emailList = '''SELECT * FROM users WHERE `email` = ? and `password` = ?'''
  #takes arguments into variable
  password_checkEnc = fernet.encrypt(password.encode())
  inputs = (email, password_checkEnc)
  #executes line 62 to save the data that matches the arguments from 'inputs' and stores in emailList
  cursor.execute(emailList, inputs)
  user = cursor.fetchone()
  #if statement to check if the database holds the data that is being searched for, allowing either the user to login or not
  if user is not None:
    print("login successful")
  else:
    print("incorrect information")
Ivan McKenna
  • 21
  • 5

1 Answers1

0

Why not just decrypt the password and check that way? My understanding of fernet key encryption is to do exactly what you're describing, creating a random encryption of the value each time. The purpose of the key is to decrypt it later. It would probably help to see your code where you initially encrypt the password but just looking at what you have here, it looks like you're generating a new key, not using the same one as before. You have to actually save the key you create initially with something like this:

# key generation
key = Fernet.generate_key()
fernet = Fernet(key)

# string the key in a file
with open('C:/locationofyourchoosing/newkey.key', 'wb') as filekey:
    filekey.write(key)

# using the key to encrypt
f = Fernet(key)
f.encrypt(databasepassword)

Then you use this same key to decrypt the value later like this:

# opening the key
with open('C:/locationofyourchoosing/newkey.key', 'rb') as filekey:
    key = filekey.read()

f = Fernet(key)
f.decrypt(databasepassword)

Then from there you can check the equality of the password. Forgive me if this isn't what you're looking for but I'm not sure you can produce the same encrypted string each time as I believe that would defeat the purpose. I hope this helps and again, if I'm missing the mark completely, please let me know as I'm just a touch confused as to why you're wanting to check equality this way.

Danno
  • 1
  • 2
  • Usually, passwords are _hashed_ rather than encrypted. Password hashes are one-way - they can't be decrypted - so the check is made by hashing the input password and comparing it with a stored hash of the original. [more...](https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification) – snakecharmerb Dec 17 '22 at 17:39
  • I did not know this! Super useful info thank you @snakecharmerb. I'm BRAND NEW to the whole encryption thing as I currently use fernet to encrypt/decrypt employee passwords only I use a single password to generate the key, then I save the salt. Then when I need to decrypt, I use the password I used before plus the saved salt, and generate the same fernet key. I read this was a safer way than storing the actual key. But I will look into what you just suggested now thank you! – Danno Dec 17 '22 at 18:38