A Guide to Password Hashing
What is Password Hashing
Passwords are something that pretty much everyone has! And, under the Data Protection Act of 1998(UK), all passwords must be kept safe and secure. If a hacker gains access to passwords, then you are responsible for not keeping them secure.
So, what's the solution?
Password hashing is converting passwords to a string of characters that can't be turned back into the password. Think of it like this:.
password = 'hello world' # password is set
hashword = hash(password) # password gets hashed
password != unhash(password) # password can't be unhashed with our knowledge of maths
Example
I've written a Python script to hash a string:
from werkzeug.security import generate_password_hash # pip install werkzeug
password = 'hello world'
hashword = generate_password_hash(password, 'sha256')
print(hashword)
Output:
ha256$Wz1CerC5MmrinjlW$56f1b796758634f1c17640dcfbc1905938a20caa3434c0ec8ca09fd8cdc9669d
So, what does this do?
Well, werkzeug
is a python package developed by
palletsprojects, the creators of the Flask framework.
werkzeug
means tools
in German.
Anway, werkzeug
has a security file with a function called
generate_password_hash
. This hashes the password that you pass
to it. You also need to pass a hashing method to it. I used
sha256
which is one of the most popular hashing methods.
Once hashed, the password becomes a long string of letters and numbers. The
ha256
at the beginning of the hashed password defines the
hashing method that was used.
Repl: @DillonB07/pseudo-randomNumbersDemo
Benefits
The benefits of hashing a password are that:
- You can't find the original password with our knowledge of maths.
- The original password isn't stored in the database, so data is useless to hackers
- More security for open source websites!
How to hash
As I mentioned earlier, werkzeug
is a great python module for
hashing!
from werkzeug.security import generate_password_hash, check_password_hash
-
generate_password_hash
hashes the password that you give it. -
check_password_hash
can be used to check if the inputted password is the same as the hashed password. More on this later.
You might think that you could hash the inputted password and compare it to the password in the database, but you can't because it gets hashed differently. This is demonstrated here:
password = 'hello world'
hashword = generate_password_hash(password, 'sha256')
print(f'1: {hashword}')
password1 = 'hello world'
hashword1 = generate_password_hash(password1, 'sha256')
print(f'2: {hashword1}')
Output:
1:
sha256$hoRRG7sXinkSjcBY$5ede7c11b9658239e9319f97ea2da55ef5044e87b5311bce3c230ce155f31a35
2:
sha256$iDw7mL3jt6Jyf7D5$1a8e1f5cacf6e3bb33dd59548c05e515fff4d59354a63463025858a3f95286aa
Now, let's check if these passwords are the same:
from werkzeug.security import generate_password_hash, check_password_hash
password = 'hello world'
hashword = generate_password_hash(password, 'sha256')
print(f'1: {hashword}')
password1 = 'hello world'
hashword1 = generate_password_hash(password1, 'sha256')
print(f'2: {hashword1}')
checked = check_password_hash(hashword, password1)
print(checked)
Output:
1:
sha256$0pMTuRIPZAgIY9rj$7c0f65d63608f483d4e0c8713b0ec7a725b8db102cd01a22a5dcd5dd5e278a5b
2:
sha256$HkBW2kGoKAobLNbH$6b4e6e091ea619e3e3a62a998da91f651dc753e7794291987e648d8c22b90c87
True
To use check_password_hash
, you need to pass the hashed
password, and the raw password to check it with. If the passwords are the
same, check_password_hash
will return True
. If it
isn't, you'll get False
.