From fa327fd4fadcca746b466dfd8dbd166a50d8efad Mon Sep 17 00:00:00 2001 From: wldtyp Date: Fri, 3 Jun 2016 01:00:55 -0700 Subject: [PATCH] Tutorial: Note extensions for encrypting passwords (#1854) Fix #836 --- docs/tutorial/views.rst | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/docs/tutorial/views.rst b/docs/tutorial/views.rst index 618c97c6..bdfdf2f0 100644 --- a/docs/tutorial/views.rst +++ b/docs/tutorial/views.rst @@ -94,11 +94,24 @@ if the user was logged in. session.pop('logged_in', None) flash('You were logged out') return redirect(url_for('show_entries')) - -Note that it is not a good idea to store passwords in plain text. You want to -protect login credentials if someone happens to have access to your database. -One way to do this is to use Security Helpers from Werkzeug to hash the -password. However, the emphasis of this tutorial is to demonstrate the basics -of Flask and plain text passwords are used for simplicity. + +.. admonition:: Security Note + + Passwords should never be stored in plain text in a production + system. This tutorial uses plain text passwords for simplicity. If you + plan to release a project based off this tutorial out into the world, + passwords should be both `hashed and salted`_ before being stored in a + database or file. + + Fortunately, there are Flask extensions for the purpose of + hashing passwords and verifying passwords against hashes, so adding + this functionality is fairly straight forward. There are also + many general python libraries that can be used for hashing. + + You can find a list of recommended Flask extensions + `here `_ + Continue with :ref:`tutorial-templates`. + +.. _hashed and salted: https://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/ \ No newline at end of file