0

All I want is a working login system with a basic Pastebin "database" for my program but I do not know how to do it.

After you enter the right login details that are written in Pastebin and press the "Enter" button I want to be redirected to a new window where my program will open and if the Pastebin login details are wrong, not to be redirected. How do I do it?

My code:

from tkinter import *
import requests

win = Tk()
win.geometry("500x500")
win.title("Login Page")


def validateLogin():
    accounts = requests.get("https://pastebin.com/pzhDWPDq")

    print("username entered :", user1.get())
    print("password entered :", passwd1.get())

    user = user1.get()
    pword = passwd1.get()

    if f"{user}::{pword}" in accounts:
        return True
    else:
        return False


userlvl = Label(win, text="Username :")
passwdlvl = Label(win, text="Password  :")

user1 = Entry(win, textvariable=StringVar())
passwd1 = Entry(win, textvariable=IntVar().set(""))

enter = Button(win, text="Enter", command=lambda: validateLogin(), bd=0)

enter.configure(bg="pink")
user1.place(x=200, y=220)
passwd1.place(x=200, y=270)
userlvl.place(x=130, y=220)
passwdlvl.place(x=130, y=270)
enter.place(x=238, y=325)

win.mainloop()
antique
  • 41
  • 7
  • If you aren't going to keep a reference to the tkinter variables (the `StringVar` and the `IntVar`), there is no point in them being there. Also `command=lambda: validateLogin()` can be replaced by `command=validateLogin`. – TheLizzard May 23 '21 at 22:02
  • Thank you for the tip, if you say they`re useless I will remove them. – antique May 23 '21 at 22:03
  • Also a security question: If you embed `https://pastebin.com/pzhDWPDq` in your code, what stops someone from looking at the username/password as plain text? You have to also encrypt the password. – TheLizzard May 23 '21 at 22:05
  • Oh, I never tought of that, it isn`t gonna be something super secret tough. How do I encrypt the password? – antique May 23 '21 at 22:07
  • 1
    If you use something like [this](https://stackoverflow.com/a/9595108/11106801), you can store the hashed passwords inside the pastebin. But you will also have to hash the password that you get from the user (hash `pword` just after `pword = passwd1.get()`) – TheLizzard May 23 '21 at 22:10
  • I don`t really understand what I am supposed to do. I would be very happy if you could show me an example. – antique May 23 '21 at 22:14
  • 1
    Check [this](https://github.com/nihaalnz/PassLost/blob/main/hash.py) for an example. – Cool Cloud May 23 '21 at 22:14
  • Thanks, but that looks to complicated for a beginner like me. Does another method exist? I don`t even know in which line to implement that code. – antique May 23 '21 at 22:16
  • @CoolCloud Hashing and encrypting are different things. Hashing is better for passwords. And in your case, the key for encrypting and decrypting passwords is the same. From a hacker's point of view it is the same as storing the passwords as plain text. – TheLizzard May 23 '21 at 22:21
  • @TheLizzard I am aware, did you miss the hashing there? The key for encrypting password is something that the user alone knows, its not saved anywhere, so tell me how a hacker would be able to view it, as plaintext? – Cool Cloud May 23 '21 at 22:56
  • @CoolCloud So you are going to use part of the password/another user input for the key? I am not aware of the internals of how AES works but that might not be safe. Also if you hash something you can't unhash it. That is why passwords are hashed. – TheLizzard May 23 '21 at 23:02
  • @TheLizzard Yes, technically hashing is not reversible. Why would that be unsafe. How else would you recommend to store passwords as hash and let users see it, when they want. Oh and the function names might be confusing, I just gave it a `hash` name, while `AES` is encryptions. Hashing can be used in case to check and verify passwords, but to store passwords and make users view it, I don't think hashing can help there. A pbkdf with encryption might work – Cool Cloud May 23 '21 at 23:05
  • @CoolCloud You should never be able to see your passwords that are stored in a database. When you click on *forgot password*, most websites just allow you to write a new password because they can't (and shouldn't even try to) unhash your password. – TheLizzard May 23 '21 at 23:08
  • @TheLizzard Well, my project was a password manager, so..... – Cool Cloud May 23 '21 at 23:08
  • @CoolCloud That works for a password manager. But in OP's case it isn't a good idea. – TheLizzard May 23 '21 at 23:09
  • True. Well as far as the OP's question is concerned, use `bcrypt` . I think it has a `checkpw` method. – Cool Cloud May 23 '21 at 23:11
  • How do you store passwords on the pastebin? If it is manually, then you will have to manually store the password hash out there somehow. If there is a code that does it, then use `bcrypt`. – Cool Cloud May 23 '21 at 23:12
  • If you want to get the content of the pastebin link, you need to use the *raw* link: `"https://pastebin.com/raw/..."` instead. As other said, storing plain credentials is not recommended. – acw1668 May 24 '21 at 01:37
  • @acw1668 Thank you, man, yeah, I know it is low security but I am not familiar with mySql and so on. Like I said I tried some code but it did not work and I don`t know what exactly I need to do further to make it work. – antique May 24 '21 at 12:36

1 Answers1

0

The URL link will get the HTML version so you need to use the raw content link instead.

Below is a modified validateLogin():

def validateLogin():
    # use raw URL link
    response = requests.get("https://pastebin.com/raw/pzhDWPDq")
    # requests.get() returns a response object
    # so use attribute 'content' to get the real content (type is bytes)
    # then use `decode()` to convert bytes to string
    # and finally split the content into list of lines
    accounts = response.content.decode().splitlines()

    user = user1.get()
    pword = passwd1.get()

    print("username entered :", user)
    print("password entered :", pword)

    print("OK" if f"{user}::{pword}" in accounts else "Failed")
    # or update a label text

Note that storing plain text password is not recommended.

acw1668
  • 19,579
  • 2
  • 14
  • 28