Django: raw passwords via request.POST

Question

This question concerns the standard UserCreationForm within Django, and the way that passwords are stored, extracted and used through a request object. Specifically the fact that I seem to be able to print raw passwords through print(request.POST). File contents will be provided at the end of this post.

I have created a registration page. I have set up a very basic class-based view that authenticates and logs the newly created user in. The actual HTML of that page is rendered automatically in this case, through {{ form.as_p }} where form is an instance of UserCreationForm.

How come, when I execute print(request.POST), I get something along the lines of this returned:

<QueryDict: {'csrfmiddlewaretoken': ['keeping_this_private'], 'username': ['William'], 'password1': ['ACTUALPASSWORD'], 'password2': ['ACTUALPASSWORD'], 'button': ['']}>

Is this really secure? As I have only been programming for a couple of months, I am still learning.

Views.py:

class RegisterView(View):
    def get(self, request):
        form = UserCreationForm()
        return render(request, 'authentication/registration.html', {'form': form})

    def post(self, request):
        form = UserCreationForm(request.POST)
        if form.is_valid():
            print(request.POST)
            form.save()
            username = form.cleaned_data.get('username')
            raw_password = form.cleaned_data.get('password1')
            user = authenticate(username=username, password=raw_password)
            login(request, user)
            return redirect('home')

        else:
            return render(request, 'authentication/registration.html', {'form': form})

Registration.html

{% extends 'base.html' %}

{% block body %}
<body class="text-center">
  <form method="post">
    {% csrf_token %}

    {{ form.as_p }}
    <button type="submit" name="button"></button>

  </form>
</body>
{% endblock %}

Urls.py

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^register/$', RegisterView.as_view(), name='register'),
    ...

Answer 1

Yes this is absolutely expected. When a user submits a password in a form, it is submitted as is (clear). There is no other choice, you need the clear password to be able to check its validity. The transport of the POST data should however be secured with HTTPS protocol.

You could be tempted to hash it on the client side before sending it to your server. It is however not increasing security at all as in this case, the hashed version of the password, becomes the actual password. It is a common false security feeling.

I invite you to read this post on security.stackexchange for more details

Answer 2

That's a good question, specially from someone new to programming. The fact is that it's, basically, totally insecure - but unavoidable. Passing a hashed password would actually be just as insecure since anyone (well, anyone able to read the packet at least) could still read the post content, and you do need to send the password from the user's client to your server one way or another. Note that you'll have the very same issue with just any confidential information actually, not only passwords.

The solution here is to use https instead of http so the request's body is encrypted. It's still not 100% safe and secure (nothing is actually 100% safe and secure) but a brut force attack would either require too much resources or too much time.