Password field in Django model

Question

I\'m trying to create a model where I can store usernames and passwords for other applications. How can I set a password field in Django so that it is not in plain text in a

Answer 1

Unfortunately there isn't an easy answer to this question because it depends on the applications you are trying to authenticate against and it also depends on how secure you want the password fields to be.

If your Django application will be using the password to authenticate against another application that requires a plaintext password to be sent, then your options are:

• Store the password in plain text in your Django model (your question implies you don't want to do this)
• Capture a master password from the user before they can unlock their stored password for other applications
• Obfuscate the password in the model so that it can be accessed by anyone with raw datastore permissions but just isn't obvious to human casual viewers

You could use the Django user password as the master password if you are using Django's builtin user model. This means that you will need to keep that master password in memory which may make some operations difficult for you, such as restarting the server or running load-balanced redundant servers.

Alternative to storing passwords

Luckily many modern applications support this in another way using an access token system which is key based rather than password based. Users are guided through the process of setting up a link between the two applications and, behind the scenes, the applications generate keys to authenticate each other either permanently or with a defined expiration date.

Facebook, for example, supports this model and they have extensive documentation about how it works:

Facebook Developers: Access Tokens and Types

Once you have managed to link with Facebook using [OAuth 2.0](http://tools.ietf.org/html/draft-ietf-oauth-v2- 12) you will probably find it easier to add links to other applications using that same protocol.