1.2.6 Encryption

The password stored in the database can be encrypted for extra security. Encryption can be enabled by specifying encryption='md5' in the admin or manager objects.

auth = web.auth.manager(
    session.store('auth'), 
    'database', 
    autoCreate=1,
    cursor=cursor,
    encryption='md5',
)

The encryption method must also be specified in the sign in handler so that the handler knows to encrypt the password specified before comparing it with the encrypted version stored in the database.

signInHandler = web.auth.handler.signIn.SignInHandler(manager=auth, encryption='md5')

There are some drawbacks to using encryption, the main one being that the users password is not actually stored anywhere so if a user forgets their password you must reset it rather than reading it from the database.

Also the password attribute of a user object will return the encrypted password not the real password.

>>> auth.user('john').password
'5f4dcc3b5aa765d61d8327deb882cf99'

Finally, if you wish to change the type of encryption you are using after having added users to the datbase you will need to rest their passwords.