python-custom.tar.gz

Python

There are a lot of common mistakes in password security. From storing plaintext passwords to not salting user passwords, to using insufficient hashing algorithms like SHA-1.

In this course, you will learn why plaintext passwords, encryption, and plain hashes are security measures that should not be used. In each lesson, you will learn why these password storage techniques increase your risk for a cyber attack. Beyond that, you’ll also learn how to fix them to create a more secure login experience.

By the end of this course, you will have a strong understanding of password security, and you will be better equipped to create web apps that users trust.

Password Security: How not to Store Passwords

## Argon2 and scrypt

**PBKDF2** and **bcrypt** require a configurable amount of CPU power. **Argon2** and **scrypt** take this a step further and require memory also. This makes them harder to crack even on specialized hardware. We've already looked at [PyNaCl's](https://pynacl.readthedocs.io/) **Argon2** function, which also provides a **scrypt** implementation. Additionally, **Python 3.6** and later versions provide [`hashlib.scrypt`](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt).

**scrypt** is alright; its big problem is that it was used in the *Litecoin digital currency*. This prompted the development of Litecoin miners, which are basically **scrypt** solvers. **scrypt** should be able to handle these miners, but **Argon2** is a safer choice, and the design is cleaner anyway.

# Argon2 and scrypt

**PBKDF2** and **bcrypt** require a configurable amount of CPU power. **Argon2** and **scrypt** take this a step further and require memory also. This makes them harder to crack even on specialized hardware. We've already looked at [PyNaCl's](https://pynacl.readthedocs.io/) **Argon2** function, which also provides a **scrypt** implementation. Additionally, **Python 3.6** and later versions provide [`hashlib.scrypt`](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt).

**scrypt** is alright; its big problem is that it was used in the *Litecoin digital currency*. This prompted the development of Litecoin miners, which are basically **scrypt** solvers. **scrypt** should be able to handle these miners, but **Argon2** is a safer choice, and the design is cleaner anyway.

This lesson discusses scrypt and Argon2, the two best password hashing algorithms available today.

__default

Strong Password Hashing

Argon2 and scrypt