python-custom.tar.gz

Python

There are a lot of common mistakes in password security. From storing plaintext passwords to not salting user passwords, to using insufficient hashing algorithms like SHA-1.

In this course, you will learn why plaintext passwords, encryption, and plain hashes are security measures that should not be used. In each lesson, you will learn why these password storage techniques increase your risk for a cyber attack. Beyond that, you’ll also learn how to fix them to create a more secure login experience.

By the end of this course, you will have a strong understanding of password security, and you will be better equipped to create web apps that users trust.

Password Security: How not to Store Passwords

# Salts

Since an attacker can download a table mapping hashes back to regular words, what if you just add a little extra text to every password? So, to store hashes of `'MyCoolSite'+password`, an attacker needs a unique mapping table just for `MyCoolSite`. Better still, if every password has a unique bit of text, an attacker needs a new table for every password. That bit of text is called a **salt**.

Another benefit of salts is that hashes will be unique even when the passwords aren't. Consequently, when an attacker cracks one password, other accounts with the same password are still safe.

Here's an example:

import hashlib
import secrets

def salted_hash(password):
    salt = secrets.token_bytes(16)
    salted_password = salt + bytes(password, 'utf-8')
    return salt.hex() + '$' + hashlib.sha256(salted_password).hexdigest()

print(salted_hash('somepassword'))

Try running the example a few times and verify that a different hash is always returned. That's the salt at work.

The example uses Python's [`secrets`](https://docs.python.org/3.8/library/secrets.html) module to generate a salt. This is preferred over [`random`](https://docs.python.org/3.8/library/random.html) because `secrets` doesn't have a pattern.

You want to avoid two users ever having the same salt. I chose a 16-byte salt. 16 bytes is $2^{128}$ combinations, or about $3.4 \times 10^{38}$. It's unlikely two users will ever get the same salt, and it is even less likely that two users with the same salt will have the same password.

To check a salted hash, recalculate the hash with the same salt and see if the hashes match:

 Get introduced to the fundamentals of good password storage, using salts.

__default

Storing Passwords Using Salted Hashes

Salts