python-custom.tar.gz

Python

There are a lot of common mistakes in password security. From storing plaintext passwords to not salting user passwords, to using insufficient hashing algorithms like SHA-1.

In this course, you will learn why plaintext passwords, encryption, and plain hashes are security measures that should not be used. In each lesson, you will learn why these password storage techniques increase your risk for a cyber attack. Beyond that, you’ll also learn how to fix them to create a more secure login experience.

By the end of this course, you will have a strong understanding of password security, and you will be better equipped to create web apps that users trust.

Password Security: How not to Store Passwords

## Password hashing algorithms

Salted hashes have several nice properties. The only problem is the speed an attacker can test guesses. They would be much more secure if they took more time. Here's our dumb hash algorithm again, but now it repeats some number of times:

def dumb_hash_count(count, value):
    sum = 0
    for i in range(count):
        for b in bytes(value, 'utf-8'):
            sum += b
    return sum

print("count=123: %d" % dumb_hash_count(123, "apple"))
print("count=1000: %d" % dumb_hash_count(1000, "apple"))

Of course, this isn't a real password hashing algorithm, but notice that anyone who tries to skip an iteration will get the wrong answer. Additionally, a count of `1,000` requires `1,000` times more processing power for each password guess than the original algorithm. Processing power costs an attacker real money, so making them spend `1,000` times more can be an effective deterrent. However, everything has a trade-off, and you'll have to pay for this, too.

## bcrypt

This is the principle behind [**bcrypt**](https://en.wikipedia.org/wiki/Bcrypt). It requires a configurable amount of CPU time, which, in theory, makes it future proof. [**PBKDF2**](https://en.wikipedia.org/wiki/PBKDF2) also has similar benefits. However, **bcrypt** has a few advantages over **PBKDF2**, so we'll look at **bcrypt**:

# Password hashing algorithms

Salted hashes have several nice properties. The only problem is the speed an attacker can test guesses. They would be much more secure if they took more time. Here's our dumb hash algorithm again, but now it repeats some number of times:

Of course, this isn't a real password hashing algorithm, but notice that anyone who tries to skip an iteration will get the wrong answer. Additionally, a count of `1,000` requires `1,000` times more processing power for each password guess than the original algorithm. Processing power costs an attacker real money, so making them spend `1,000` times more can be an effective deterrent. However, everything has a trade-off, and you'll have to pay for this, too.

# bcrypt

This is the principle behind [**bcrypt**](https://en.wikipedia.org/wiki/Bcrypt). It requires a configurable amount of CPU time, which, in theory, makes it future proof. [**PBKDF2**](https://en.wikipedia.org/wiki/PBKDF2) also has similar benefits. However, **bcrypt** has a few advantages over **PBKDF2**, so we'll look at **bcrypt**:

Get introduced to a couple of special-purpose password hashing algorithms: PBKDF2 and bcrypt.

__default

Strong-ish Password Hashing

Password hashing algorithms

bcrypt