Salt and hash a password in Python
EDIT: This answer is wrong. A single iteration of SHA512 is fast, which makes it inappropriate for use as a password hashing function. Use one of the other answers here instead.
Looks fine by me. However, I'm pretty sure you don't actually need base64. You could just do this:
import hashlib, uuid
salt = uuid.uuid4().hex
hashed_password = hashlib.sha512(password + salt).hexdigest()
If it doesn't create difficulties, you can get slightly more efficient storage in your database by storing the salt and hashed password as raw bytes rather than hex strings. To do so, replace hex
with bytes
and hexdigest
with digest
.
Python Password Salting and Peppering
As per my knowledge, what you performed is proper.
I've read that sha256 is not made for password hashing so it is not secure
This is meant, you should not hash the password with SHA256 and store it in the database.
It doesn’t mean that you can’t use it for pepper.
One point I can recommend here is instead of using plain SHA-256, use a combination for pepper. Maybe like part of SHA-256 + MD-5 or SHA-1 for that password.
If you use higher hashing algorithms, it takes more computation. Let’s say you might add further features like should not use old password or similar to old passwords, more computation gets wasted.
Salted Hashed Password with Python (Different salt for every new password)
The quick solution I thought of, was to store the salt along with the user's table property
That's exactly what you do. Knowing the salt doesn't really detract from their benefits:
- Identical passwords in your database will have different hashes.
- Rainbow tables won't work.
- Brute-force attacks that attempt to match against any of your hashes will be slowed down.
How to convert C# password hashing with salt to python for windows
They don't start out the same.
If you add some prints to the C#
protected static string CreateSHA512Hash(string Password, string Salt)
{
try
{
byte[] bytes_password = Encoding.UTF8.GetBytes(Password);
byte[] bytes_salt = Encoding.UTF8.GetBytes(Salt);
HashAlgorithm sha512hash = (HashAlgorithm)new SHA512CryptoServiceProvider();
for (int index = 0; index < 1000; ++index)
{
if (index < 10)
Console.WriteLine(Convert.ToBase64String(bytes_password));
byte[] bytes_iteration = Encoding.UTF8.GetBytes(Convert.ToBase64String(bytes_password) + Convert.ToBase64String(bytes_salt));
bytes_password = sha512hash.ComputeHash(bytes_iteration);
}
Console.WriteLine("...");
return Convert.ToBase64String(bytes_password);
}
catch (Exception ex)
{
return "Exception" + ex.Message;
}
}
Here's my python port of the same code, with the same debug prints, so you can compare the first 10 values.
import hashlib
from base64 import b64encode
password = "Pass@21"
salt = "SALT(}"
bytes_password = password.encode('utf-8')
bytes_salt = salt.encode('utf-8')
for i in range(1000):
if i < 10:
print(b64encode(bytes_password).decode())
b64pw = b64encode(bytes_password).decode()
b64sa = b64encode(bytes_salt).decode()
bytes_iteration = (b64pw + b64sa).encode('utf-8')
bytes_password = hashlib.sha512(bytes_iteration).digest()
print('...')
print(b64encode(bytes_password).decode())
Your original code wasn't consistent on when it hex encoded and when it computed the hash, and it computed a hash prior to entering the loop.
Recover a salted and hashed password in python
You don't. Hashing is a technique which is only one way. This is the whole point of hashing.
You never store raw passwords in order to protect your user if you got a leak of information in your DB.
If you want to implement some "password recover" procedure, you need to do as everyone do, send a email to the person with a temporary link to reset password on send a new one randomly generated.
Hashing Password in .py file
You'll want to use the python hashlib. An example could look something like this:
import hashlib
def valid_password(userid, password):
user = get_user(userid)
pw_hash = hashlib.sha256(password).hexdigest()
if user.hash == pw_hash:
return True
return False
Also I recommend reviewing some password storage best practices noted in this SO
Edit: I used sh256 in this example, but that is more useful as a message digest. A better use would be hashlib.pbkdf2_hmac
or another key derivation function. There is a good write up here.
Related Topics
Python - Pygame Error When Executing Exe File
How to Get a Complete List of Object's Methods and Attributes
Websocket VS Rest API for Real Time Data
Error: 'Int' Object Is Not Subscriptable - Python
Subprocess.Call() Arguments Ignored When Using Shell=True W/ List
How to Write to a File, Using the Logging Python Module
Display Special Characters When Using Print Statement
Update Tkinter Label from Variable
Tkinter Vanishing Photoimage Issue
How to Catch a Numpy Warning Like It's an Exception (Not Just for Testing)
Python - Typeerror: 'Int' Object Is Not Iterable
Number of Days Between 2 Dates, Excluding Weekends
What's the Best Way to Find the Inverse of Datetime.Isocalendar()