Building a from-scratch server or using a lightweight framework is empowering. With that power comes responsibility, specifically the responsibility to securely store user’s passwords. Not understanding the security implications of password storage can lead to devastating breaches and leaks. If you are building an application and need to store user credentials, learn about hash functions. Can I Store Passwords In Plain Text? To demonstrate the potential dangers, let us assume we DON’T hash passwords on a fake example website, . Inevitably when a hacker or disgruntled employee obtains access to database, they will download all the usernames and passwords: LoveMatchingToday LoveMatchingToday’s user.one@gmail.com – somePa$$wordHere user.two@hotmail.com – otherPlainTextPass Now the attacker can go to other websites, and because a majority of people reuse passwords on different websites, they can hack other systems. Solution – Hashing . Because hashes are one-way, the attacker can’t re-create the plaintext password from the hash. Now the attacker would find something like this in the database: A hash function (or more specifically in our case, a key derivation function ) deterministically creates a strong key from a password user.one@gmail.com – cab864878af008fbc550087940ffacdb79a7f82201725e3350e25d6cfbdd4255 user.two@hotmail.com – 42a7fd2b639d18b3aba5db8504d4530f1f1ab58ab9615414b7629d6ec5c157b8 They won’t be able to use the hash to log in on other systems because they don’t have access to the original password. In Python, is a strong key derivation function that can be used in production systems: Bcrypt <code style="box-sizing: border-box; font-family: Consolas, &quot;Andale Mono WT&quot;, &quot;Andale Mono&quot;, &quot;Lucida Console&quot;, &quot;Lucida Sans Typewriter&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Bitstream Vera Sans Mono&quot;, &quot;Liberation Mono&quot;, &quot;Nimbus Mono L&quot;, Monaco, &quot;Courier New&quot;, Courier, monospace; color: rgb(255, 255 , 255 ); background-color: transparent; border: 0 px; padding: 0 px; font-size: 0.85 em; border-radius: 3 px;">import bcrypt bcrypt.hashpw('userPlainTextPassword'.encode(), bcrypt.gensalt())</code> Rainbow Tables and Salts You may have wondered in the above code snippet what the function does. If we were to hash passwords without salts, an attacker could do a attack in order to find the original plain text. gensalt() rainbow table A salt is a random string of data hashed alongside a password to keep the hash result unique. each time a new password is saved, and the salt is stored alongside the hashed result so that it can be used again for comparison. so that developers don’t need to do the extra work. Salts should be recreated Libraries like bcrypt are smart enough to store the salt IN the resulting string For example, let’s say that wisened up and started hashing passwords, but didn’t include unique salts. An attacker could have a precomputed table of hashes: LoveMatchingToday aab864878af008fbc550087940ffacdb79a7f82201725e3350e25d6cfbdd425f = password123 afg3683232297323f2f0087940ffacdb79a7f8284723732350e25d6cfbdd4cccc = shadowTheHedgehog1234 They could then check each hash they find and see if a hash matches an entry in their table. If so, they can effectively “reverse” the hash and learn the original plaintext. For this reason, we need to salt passwords. Luckily Bcrypt handles salting automagically. For the sake of learning, however, let’s assume they didn’t. If they didn’t, our pseudocode would look something like this: salt = creatRandomSalt()
hashedPassword = hash(newPassword.concat(salt))
database.save(hashedPassword, salt) hashedPassword, salt = database.GetUserCredentals()
passwordInput = userInput
if hash(passwordInput.concat(salt)) == hashedPassword:
  login() failure() <code style="box-sizing: border-box; font-family: Consolas, ;Andale Mono WT ;, ;Andale Mono ;, ;Lucida Console ;, ;Lucida Sans Typewriter ;, ;DejaVu Sans Mono ;, ;Bitstream Vera Sans Mono ;, ;Liberation Mono ;, ;Nimbus Mono L ;, Monaco, ;Courier New ;, Courier, monospace; color: rgb( , , ); background-color: transparent; border: px; padding: px; font-size: em; border-radius: px;"> &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot 255 255 255 0 0 0.85 3 # Save new password # Check password else: </code> However, since Bcrypt stores the salt automatically with the hashed result in the “ ” format, we can just use the following code: {salt}{hashed} import bcrypt hashAndSalt = bcrypt.hashpw(password.encode(), bcrypt.gensalt()) valid = bcrypt.checkpw(password.encode(), hashAndSalt) <code style="box-sizing: border-box; font-family: Consolas, ;Andale Mono WT ;, ;Andale Mono ;, ;Lucida Console ;, ;Lucida Sans Typewriter ;, ;DejaVu Sans Mono ;, ;Bitstream Vera Sans Mono ;, ;Liberation Mono ;, ;Nimbus Mono L ;, Monaco, ;Courier New ;, Courier, monospace; color: rgb( , , ); background-color: transparent; border: px; padding: px; font-size: em; border-radius: px;"> &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot &quot 255 255 255 0 0 0.85 3 # password = userInput # save in data base "hashAndSalt" # To check: # password = userInput </code> Thanks For Reading If you have questions hit me up on twitter! Lane on Twitter: @wagslane Lane on Dev.to: wagslane Download Qvault: https://qvault.io Previously published at https://qvault.io/2020/01/29/hashing-passwords-python-cryptography-examples/

Alongside

Twitter

How to Use AES-256 Cipher: Python Cryptography Examples

Adi Shamir's Secret Sharing: An Algorithm To Share Ownership

Learn to code on Boot.dev

Nominated for 2022 - HackerNoon Contributor of the Year - Algorithms

Nominated for 2022 - HackerNoon Contributor of the Year - Mathematics

Nominated for 2022 - HackerNoon Contributor of the Year - Cryptography

Nominated for Coding Guru of 2022

Nominated for 2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Online Education

Nominated for 2022 - HackerNoon Contributor of the Year - Job Hunting

Nominated for Super Career Strategist of 2022

Too Long; Didn't Read

Hashing Passwords In Python: Bcrypt Tutorial with Examples

Hashing Passwords In Python: Bcrypt Tutorial with Examples

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

A Complete Overview of Cryptography

A Practical Guide to Implementing User Authentication using JavaScript and Express

Authentication and Authorization with bcrypt In Rails

Switching from BCrypt to SHA2 may save your CPU…and your sanity!

The Bcrypt Protocol… is kind of a mess

A Complete Overview of Cryptography

A Practical Guide to Implementing User Authentication using JavaScript and Express

Authentication and Authorization with bcrypt In Rails

Switching from BCrypt to SHA2 may save your CPU…and your sanity!

The Bcrypt Protocol… is kind of a mess

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps