Browse Source

Tutorial: Note extensions for encrypting passwords (#1854)

Fix #836
pull/1849/merge
wldtyp 9 years ago committed by Jeff Widman
parent
commit
fa327fd4fa
  1. 25
      docs/tutorial/views.rst

25
docs/tutorial/views.rst

@ -94,11 +94,24 @@ if the user was logged in.
session.pop('logged_in', None) session.pop('logged_in', None)
flash('You were logged out') flash('You were logged out')
return redirect(url_for('show_entries')) return redirect(url_for('show_entries'))
Note that it is not a good idea to store passwords in plain text. You want to .. admonition:: Security Note
protect login credentials if someone happens to have access to your database.
One way to do this is to use Security Helpers from Werkzeug to hash the Passwords should never be stored in plain text in a production
password. However, the emphasis of this tutorial is to demonstrate the basics system. This tutorial uses plain text passwords for simplicity. If you
of Flask and plain text passwords are used for simplicity. plan to release a project based off this tutorial out into the world,
passwords should be both `hashed and salted`_ before being stored in a
database or file.
Fortunately, there are Flask extensions for the purpose of
hashing passwords and verifying passwords against hashes, so adding
this functionality is fairly straight forward. There are also
many general python libraries that can be used for hashing.
You can find a list of recommended Flask extensions
`here <http://flask.pocoo.org/extensions/>`_
Continue with :ref:`tutorial-templates`. Continue with :ref:`tutorial-templates`.
.. _hashed and salted: https://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
Loading…
Cancel
Save