The Hidden Pitfall of Password Encryption in Django: Avoid This Rookie Mistake

Yashraj singh
3 min readAug 30, 2024

--

dj

Table of Contents

  1. Introduction
  2. The Mistake: An Unfortunate Slip
  3. The Right Way: How to Handle Passwords in Django
  4. The Consequence: What Went Wrong
  5. Conclusion: Lessons Learned and Moving Forward

Introduction

Everyone makes mistakes, and as a fellow human, I’ve had my share. One area where I stumbled recently was with password encryption in Django. If you’re working with Django or planning to, I want to share a lesson from my own error so you can avoid the same pitfall.

The Mistake: An Unfortunate Slip

Here’s where things went awry: I made a seemingly minor error with password handling in Django, but it had major implications. I had two panels in my project — a client panel and an admin panel — and everything seemed to be functioning fine. However, in the admin panel, when inviting a new user, there was a crucial step I missed.

Here is the code I used while creating a new entry in the auth_user table when sending an invite to new users:

from django.contrib.auth.models import User

user = User.objects.create_user(username=username, password=None, email=email)
user.save()

This code looks straightforward, but there’s a crucial detail missing. I thought setting the password to None would be harmless. But here’s where the problem started.

The Right Way: How to Handle Passwords in Django

Django provides a secure way to store passwords using a technique called hashing. Hashing is a one-way function that transforms a plain text password into a seemingly random string of characters. This string, called a hash, cannot be reversed back into the original password.

Here’s the proper way to set passwords in Django:

Create a User Instance:

user = User(username=username, email=email)

Set the Password:

user.set_password(password)  # This will hash the password

Save the User:

user.save()

By using user.set_password(password), Django generates a secure hash of the user's password before storing it in the database. This protects your users' information even if your database is compromised.

Generate By Blunders

The Consequence: What Went Wrong

Now, let’s say you have a feature where users can be invited through email. You might be tempted to use something like this:

user = User.objects.create_user(username=username, password=None, email=email)

This code seems logical — the user doesn’t have a password yet, so you set it to None. However, Django doesn't actually store None in the password field. Instead, it generates a random string to ensure data integrity.

For example, a hashed password should look something like:

pbkdf2_sha256$260000$7a3d92e6f8f623ab$6c4eab74c5f047ef8b3f0d01f6a6d74b4fbd9d6b530bfe6a0a74aaf7fa79024d

But in my case, I ended up with random strings like:

4b2xRQmfK2SxZQHckSVdH8M/aH+wJ8gzyLZwX7MAZHY=

This inconsistency was noticed by my client. Not only did this expose my oversight, but it also made me feel quite embarrassed.

Conclusion: Lessons Learned and Moving Forward

We all make mistakes, but it’s important to learn from them. This error taught me a valuable lesson about handling passwords in Django properly. Always use Django’s methods to set and hash passwords to ensure they are secure and managed correctly.

If you’re new to Django or working on similar projects, take this as a reminder to double-check your implementation. Mistakes like these can be avoided with careful attention and understanding.

Remember, even experienced developers make mistakes. What matters is how we learn from them and strive to improve.

--

--

Yashraj singh
Yashraj singh

Written by Yashraj singh

Learner | Developer | Software Engineer

No responses yet