def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) print(user) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.password != password: response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): if user is not None: response.status = 401 error = "{} is already taken.".format(username) else: create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)
def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) print(user) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.password != password: response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): # TODO: ex2.1 load_breaches(db) # Load here -> load each time (plaintext_breaches, hashed_breaches, salted_breaches) = get_breaches(db, username) for breach in plaintext_breaches: if breach.password == password: response.status = 401 error = "Credential is already breached for {} and current password.".format( username) break if not error: for breach in hashed_breaches: if breach.hashed_password == hash_sha256(password): response.status = 401 error = "Credential is already breached for {} and current password.".format( username) break if not error: for breach in salted_breaches: if breach.salted_password == hash_pbkdf2( password, breach.salt): response.status = 401 error = "Credential is already breached for {} and current password.".format( username) break if not error and user is not None: response.status = 401 error = "{} is already taken.".format(username) if not error: create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)
def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.password != hash_pbkdf2(password, user.salt): response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): if user is not None: response.status = 401 error = "{} is already taken.".format(username) ############## My Code ############################################ else: p,h,s = get_breaches(db, username) for i in range(len(p)): print(i) if( password == p[i].password): error = "User/Password Combo Found in Breach" hp = hash_sha256(password) for i in range(len(h)): if(hp == h[i].hashed_password): error = "User/Password Combo Found in Breach" for i in range(len(s)): sp = hash_pbkdf2(password, s[i].salt) if(sp == s[i].salted_password): error = "User/Password Combo Found in Breach" ###################### My Code ############################################# create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)
def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) print(user) plaintext_breaches, hashed_breaches, salted_breaches = get_breaches( db, username) breached = False for cred in plaintext_breaches: if cred.password == password: breached = True for cred_h in hashed_breaches: if cred_h.hashed_password == hash_sha256(password): breached = True for cred_s in salted_breaches: if cred_s.salted_password == hash_pbkdf2(password, cred_s.salt): breached = True if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.password != hash_pbkdf2(password, user.salt): response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): if user is not None: response.status = 401 error = "{} is already taken.".format(username) elif breached: response.status = 401 error = "This username and password pair is breached!" else: create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)
def do_login(db): for param, val in request.forms.iteritems(): param_ht.insert(param, val) username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.password != password: response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): if user is not None: response.status = 401 error = "{} is already taken.".format(username) else: user = create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login cbc = app.api.encr_decr.Encryption(encryption_key) existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", session.get_id()) # FINDME: admin bytes 0x00 (not admin) or 0x01 (admin) concatentated with plaintext password admin_cookie_pt = app.api.encr_decr.format_plaintext( int(user.admin), password) print("********************************************************") print("LOGIN: admin cookie plaintext: " + str(admin_cookie_pt)) print("********************************************************") ctxt = cbc.encrypt(admin_cookie_pt) response.set_cookie("admin", ctxt.hex()) return redirect("/profile/{}".format(username)) return template("login", login_error=error)
def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) plaintext_breaches, hashed_breaches, salted_breaches = get_breaches(db, username) breached = is_plaintext_breached( password, plaintext_breaches) or is_hashed_breached(password, hashed_breaches) or is_salted_breached(password, salted_breaches) salted = hash_pbkdf2(password,user.salt) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.salted_password != salted: response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): if user is not None: response.status = 401 error = "{} is already taken.".format(username) elif breached: response.status = 401 error = "Password found in a data breach, please use another password." else: create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)
def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) print(user) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.password != hash_pbkdf2(password, user.salt): response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): if user is not None: response.status = 401 error = "{} is already taken.".format(username) else: if not is_comprimised_accounts(db, username, password): create_user(db, username, password) else: response.status = 401 error = "Attempted password for {} has been found in breached database .".format( username) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)
def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) print(user) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) elif user.password != hash_pbkdf2(password, user.salt): response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): flag = 0 if (user is not None): response.status = 401 error = "{} is already taken.".format(username) else: if get_breaches(db, username) != ([], [], []): pb = load_breach(PLAINTEXT_BREACH_PATH) hb = load_breach(HASHED_BREACH_PATH) sb = load_breach(SALTED_BREACH_PATH) hashed = hash_sha256(password) (p, h, s) = get_breaches(db, username) print(s) if p != []: x = [x for x in pb if username in x][0] if pb[pb.index(x)][1] == password: response.status = 401 error = "{}'s password is breached.".format(username) flag = 1 elif h != []: x = [x for x in hb if username in x][0] if hb[hb.index(x)][1] == hashed: response.status = 401 error = "{}'s password is breached.".format(username) flag = 1 elif s != []: x = [x for x in sb if username in x][0] salted = hash_pbkdf2(password, sb[sb.index(x)][2]) if sb[sb.index(x)][1] == salted: response.status = 401 error = "{}'s password is breached.".format(username) flag = 1 if flag != 1: create_user(db, username, password) else: create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)
def do_login(db): username = request.forms.get('username') password = request.forms.get('password') error = None user = get_user(db, username) print(user) if (request.forms.get("login")): if user is None: response.status = 401 error = "{} is not registered.".format(username) #for this elif statement, we change password to be the hashed/salted #version of the plain text password. We do this by using the hash_pbkdf2 #function from hash.py using the plain text password and the #random_salt assigned to the user. This allows us to throw an error #if the hash of the password used to login does not match the hash of #the password used to register. elif user.password != hash_pbkdf2(password, user.random_salt): response.status = 401 error = "Wrong password for {}.".format(username) else: pass # Successful login elif (request.forms.get("register")): if user is not None: response.status = 401 error = "{} is already taken.".format(username) #Within this block of code, we first load in the breaches. Then we have #several if statements -- the first checks if the username trying to log #in is in the plain text breach. If it is, it checks if the entered #password matches the password in the breach -- if it does, it blocks #the registration and throws an error. If it does not, no error is #thrown and the next if statement is checked. The same process is #repeated for the next two if statements (one for the hashed breach and #one for the salted breach). All 3 of these if statements will be #executed -- this accounts for cases where a username might be present #in more than 1 of the breaches. If no errors are thrown, the username #and password are approved/created. #To test, we took a username from the plain text breach and tested it #with the password from the breach -- it was rejected. When we tested #with a random password, it was approved. We did the same for the #hashed breach by converting one of the hashes into a plain text #password -- same results. We also did the same thing for the salted #breach, using the password we outputed in brute.py -- same results. #This confirmed that our system catches dangerous pairs from all #breaches. else: load_breaches(db) breaches = get_breaches(db, username) if len(breaches[0]) != 0: if password == breaches[0][0].password: response.status = 401 error = "This is a dangerous username-password pair. Please choose a different password for {}".format( username) if len(breaches[1]) != 0: pw_hash = hash_sha256(password) if pw_hash == breaches[1][0].hashed_password: response.status = 401 error = "This is a dangerous username-password pair. Please choose a different password for {}".format( username) if len(breaches[2]) != 0: pw_salt = hash_pbkdf2(password, breaches[2][0].salt) if pw_salt == breaches[2][0].salted_password: response.status = 401 error = "This is a dangerous username-password pair. Please choose a different password for {}".format( username) if error == None: create_user(db, username, password) else: response.status = 400 error = "Submission error." if error is None: # Perform login existing_session = get_session_by_username(db, username) if existing_session is not None: delete_session(db, existing_session) session = create_session(db, username) response.set_cookie("session", str(session.get_id())) return redirect("/{}".format(username)) return template("login", error=error)