python-custom.tar.gz

Python

There are a lot of common mistakes in password security. From storing plaintext passwords to not salting user passwords, to using insufficient hashing algorithms like SHA-1.

In this course, you will learn why plaintext passwords, encryption, and plain hashes are security measures that should not be used. In each lesson, you will learn why these password storage techniques increase your risk for a cyber attack. Beyond that, you’ll also learn how to fix them to create a more secure login experience.

By the end of this course, you will have a strong understanding of password security, and you will be better equipped to create web apps that users trust.

Password Security: How not to Store Passwords

# Password hashes

Hash functions let you prove you know a secret without having to say the secret. They work by computing a checksum from the password. If another password produces the same checksum, the inputs are the same.

Here's a simple hash algorithm to illustrate the idea:

def dumb_hash(value):
    sum = 0
    for b in bytes(value, 'utf-8'):
        sum += b
    return sum

print(dumb_hash("apple"))

This is a bad algorithm, but it's just to illustrate the point. Every time you pass `apple` you'll get `530`, but there's no algorithm to get from `530` back to `apple`. Try modifying the input in the above program, and you will see a different output. Hash functions are wonderful for password storage because you can just store the output. Then, to validate a password, calculate the new hash; if the hashes match, the password is correct.

You can pick from several hash algorithms. [MD5](https://en.wikipedia.org/wiki/MD5) and [SHA-1](https://en.wikipedia.org/wiki/SHA-1) should not be used for passwords anymore. [SHA-2](https://en.wikipedia.org/wiki/SHA-2) is still secure.

> **Note**: There are similar algorithms that were not designed for cryptography. [CRC32](https://en.wikipedia.org/wiki/Cyclic_redundancy_check) and [FNV](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function), for instance, are great for hash tables or finding transmission errors, but they were never intended for cryptography and won't survive a serious crack attempt.

Here's an example using **SHA-256**, from the **SHA-2** family:

Learn about password hashing, why hashes alone are not enough, and how to fix a database of insecure password hashes.

__default

Storing Hashed Passwords

Password hashes