Simple Authentication Without a Database

TL;DR

You can create basic user authentication without relying on a database by storing user credentials (hashed passwords) directly in your application code or configuration files. This is suitable for small projects, demos, or situations where a full database setup is unnecessary. Warning: This approach has security limitations and isn’t recommended for production systems with sensitive data.

How to Implement Authentication Without a Database

1. Define Users in Code/Config: Start by defining your users directly within your application’s code or configuration file. For example, using a Python dictionary:

   users = {
       'alice': '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8',
       'bob':   '8c6976e8b5410415bde908bd4dee15dfb167a9c873fc44f8e8fdd4df2bfcd7a1'
   }
   

   Important: The values are hashed passwords (see step 2). Never store plain text passwords!

2. Hash Passwords: Before storing any password, you *must* hash it. Use a strong hashing algorithm like bcrypt or Argon2. Python example using the hashlib library:

   import hashlib
   
   def hash_password(password):
       salt = 'your_secret_salt' # Replace with a unique salt!
       salted_password = salt + password
       hashed_password = hashlib.sha256(salted_password.encode('utf-8')).hexdigest()
       return hashed_password
   

   Note: hashlib is a basic example. For better security, use libraries specifically designed for password hashing like bcrypt or passlib.

3. Implement Login Function: Create a function to verify user credentials during login:

   def authenticate_user(username, password):
       if username in users:
           hashed_password = users[username]
           if hash_password(password) == hashed_password:
               return True
           else:
               return False
       else:
           return False
   

4. Implement Registration (Optional): If you need user registration, add a function to hash the new password and store it in your users dictionary/config. Be very careful with this step.

   def register_user(username, password):
       if username not in users:
           hashed_password = hash_password(password)
           users[username] = hashed_password
           return True
       else:
           return False
   

5. Secure Your Configuration: If storing user data in a configuration file, ensure it has restricted access permissions (e.g., only readable by the application owner).
6. Consider Session Management: After successful authentication, create a session to track the logged-in user. This typically involves setting a cookie.

   Example using Flask:

   from flask import Flask, request, redirect, url_for, session
   app = Flask(__name__)
   app.secret_key = 'your_secret_key' # Replace with a strong secret key!
   
   @app.route('/login', methods=['POST'])
   def login():
       username = request.form['username']
       password = request.form['password']
       if authenticate_user(username, password):
           session['username'] = username
           return redirect(url_for('home'))
       else:
           return 'Invalid credentials'
   

Security Considerations

• Salt Your Hashes: Always use a unique salt for each password. This prevents rainbow table attacks.
• Use Strong Hashing Algorithms: bcrypt and Argon2 are more secure than SHA-256.
• Limited Scalability: This method doesn’t scale well as the number of users grows.
• Code/Config Security: Protecting the code or configuration file containing user data is crucial.
• No Advanced Features: You won’t have features like password reset, account recovery, or two-factor authentication without significant custom development.