Storing Passwords Using Salted Hashes
Get introduced to the fundamentals of good password storage, using salts.
We'll cover the following...
Salts
Since an attacker can download a table mapping hashes back to regular words, what if you just add a little extra text to every password? So, to store hashes of 'MyCoolSite'+password, an attacker needs a unique mapping table just for MyCoolSite. Better still, if every password has a unique bit of text, an attacker needs a new table for every password. That bit of text is called a salt.
Another benefit of salts is that hashes will be unique even when the passwords aren’t. Consequently, when an attacker cracks one password, other accounts with the same password are still safe.
Here’s an example:
import hashlibimport secretsdef salted_hash(password):salt = secrets.token_bytes(16)salted_password = salt + bytes(password, 'utf-8')return salt.hex() + '$' + hashlib.sha256(salted_password).hexdigest()print(salted_hash('somepassword'))
Try running the example a few times and verify that a different hash is always returned. That’s the salt at work.
The example uses Python’s secrets module to generate a salt. This is preferred over ...