0

It's suprisingly hard to find concrete information about that topic. I've worked with the Flask framework lately and I just managed to create a proper login that stores the passwords in a database after hashing them. While reading about this topic the following question came to my mind. What technology is used to build properly secured web applications like e banking platforms? Could you build something like that with Flask or is there a similar technology that is much safer?

jz22
  • 103
  • 2
  • 2
    Please don't use md5 for password storage. It is widely considered broken for such uses. https://security.stackexchange.com/questions/19906/is-md5-considered-insecure – JesseM Jul 26 '17 at 22:56
  • 1
    This is impossibly broad to answer. The summary is that you build a web application that uses all the normal security processes, and then mix in a bunch of extra compliance work. – Xiong Chiamiov Jul 27 '17 at 04:31

2 Answers2

0

I just managed to create a proper login that stores the passwords in a database after md5 hashing them

No, you didn't...

What technology is used to build properly secured web applications like e banking platforms?

Java

Could you build something like that with Flask?

Maybe, if you're careful and can find quality libraries or build your own

The correct way to store passwords is to use a slow, cryptographic hash like bcrypt, scrypt, or PBKDF2

Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • Is slowness a requirement? – sha1 Jul 27 '17 at 01:15
  • Yes. A good hash should take >= 250 ms – Neil McGuigan Jul 27 '17 at 02:13
  • Alternatively just recursively hash the result, do this 1000 or 10,000 times, this will increase the time it takes to generate the final hash. – xvk3 Jul 27 '17 at 06:12
  • @NeilMcGuigan Can you elaborate on the reason for the slowness requirement? Because I'd say a hash function _should_ be fast. If you are referring to slowing down of the process of hash comparison (e.g., hash multiple times and then check), this does not imply a slowness requirement on the hash function. – sha1 Jul 27 '17 at 17:00
  • @WillV Don't do that. Use industry accepted and widely known methods to store passwords to ensure future compatibility. – zzarzzur Jul 29 '17 at 13:31
0

This question is broad and likely won't attract a quality answers.

But here we go...

By applying the industry best-practices across all layers of your application, using well-maintained frameworks/libraries, and by actively performing penetration testing on your application- you can achieve a secure posture and consider your application secure.

It all depends on your use-case. If you are looking into building something with Flask, that is only one layer of the entire system (the web application framework). Between your web application and the user, you will have a web server technology, HTTP/HTTPS protocols, encryption technologies (SSL/TLS), and client side security risks (XSS, XSRF, un-trusted data tampering, etc...).

Each of these layers increase the probability of security vulnerabilities. Nothing can be 100% secure- including banking applications.

If you are in (or looking to be in) the business of creating a very secure application, then you will want someone with dedicated security expertise available to provide subject matter expertise on all aspects of the system build.

Unfortunately, there is no one-size-fits-all answer to security. If there was, there would probably exist a one-size-fits-all hacking tool.

SecretSasquatch
  • 619
  • 3
  • 9