Salt and Hash a Password in Python

Salt and hash a password in Python

EDIT: This answer is wrong. A single iteration of SHA512 is fast, which makes it inappropriate for use as a password hashing function. Use one of the other answers here instead.

Looks fine by me. However, I'm pretty sure you don't actually need base64. You could just do this:

import hashlib, uuid
salt = uuid.uuid4().hex
hashed_password = hashlib.sha512(password + salt).hexdigest()

If it doesn't create difficulties, you can get slightly more efficient storage in your database by storing the salt and hashed password as raw bytes rather than hex strings. To do so, replace hex with bytes and hexdigest with digest.

Python Password Salting and Peppering

As per my knowledge, what you performed is proper.

I've read that sha256 is not made for password hashing so it is not secure

This is meant, you should not hash the password with SHA256 and store it in the database.

It doesn’t mean that you can’t use it for pepper.

One point I can recommend here is instead of using plain SHA-256, use a combination for pepper. Maybe like part of SHA-256 + MD-5 or SHA-1 for that password.

If you use higher hashing algorithms, it takes more computation. Let’s say you might add further features like should not use old password or similar to old passwords, more computation gets wasted.

Salted Hashed Password with Python (Different salt for every new password)

The quick solution I thought of, was to store the salt along with the user's table property

That's exactly what you do. Knowing the salt doesn't really detract from their benefits:

  • Identical passwords in your database will have different hashes.
  • Rainbow tables won't work.
  • Brute-force attacks that attempt to match against any of your hashes will be slowed down.

How to convert C# password hashing with salt to python for windows

They don't start out the same.

If you add some prints to the C#

    protected static string CreateSHA512Hash(string Password, string Salt)
    {
        try
        {
            byte[] bytes_password = Encoding.UTF8.GetBytes(Password);
            byte[] bytes_salt = Encoding.UTF8.GetBytes(Salt);
            HashAlgorithm sha512hash = (HashAlgorithm)new SHA512CryptoServiceProvider();
            for (int index = 0; index < 1000; ++index)
            {
                if (index < 10)
                    Console.WriteLine(Convert.ToBase64String(bytes_password));

                byte[] bytes_iteration = Encoding.UTF8.GetBytes(Convert.ToBase64String(bytes_password) + Convert.ToBase64String(bytes_salt));
                bytes_password = sha512hash.ComputeHash(bytes_iteration);
            }
            Console.WriteLine("...");
            return Convert.ToBase64String(bytes_password);
        }
        catch (Exception ex)
        {
            return "Exception" + ex.Message;
        }
    }

Here's my python port of the same code, with the same debug prints, so you can compare the first 10 values.

import hashlib
from base64 import b64encode

password = "Pass@21"
salt = "SALT(}"

bytes_password = password.encode('utf-8') 
bytes_salt = salt.encode('utf-8')
for i in range(1000):
    if i < 10:
        print(b64encode(bytes_password).decode())
        
    b64pw = b64encode(bytes_password).decode()
    b64sa = b64encode(bytes_salt).decode()
    bytes_iteration = (b64pw + b64sa).encode('utf-8')
    
    bytes_password = hashlib.sha512(bytes_iteration).digest()

print('...')
print(b64encode(bytes_password).decode())

Your original code wasn't consistent on when it hex encoded and when it computed the hash, and it computed a hash prior to entering the loop.

Recover a salted and hashed password in python

You don't. Hashing is a technique which is only one way. This is the whole point of hashing.

You never store raw passwords in order to protect your user if you got a leak of information in your DB.

If you want to implement some "password recover" procedure, you need to do as everyone do, send a email to the person with a temporary link to reset password on send a new one randomly generated.

Hashing Password in .py file

You'll want to use the python hashlib. An example could look something like this:

  import hashlib

  def valid_password(userid, password):
      user = get_user(userid)
      pw_hash = hashlib.sha256(password).hexdigest()
      if user.hash == pw_hash:
          return True
      return False

Also I recommend reviewing some password storage best practices noted in this SO

Edit: I used sh256 in this example, but that is more useful as a message digest. A better use would be hashlib.pbkdf2_hmac or another key derivation function. There is a good write up here.


Related Topics

Python - Pygame Error When Executing Exe File

How to Get a Complete List of Object's Methods and Attributes

Removing Numbers from String

Websocket VS Rest API for Real Time Data

Error: 'Int' Object Is Not Subscriptable - Python

Subprocess.Call() Arguments Ignored When Using Shell=True W/ List

How to Write to a File, Using the Logging Python Module

Is There a Better Way to Iterate Over Two Lists, Getting One Element from Each List for Each Iteration

Display Special Characters When Using Print Statement

Update Tkinter Label from Variable

Tkinter Vanishing Photoimage Issue

How to Catch a Numpy Warning Like It's an Exception (Not Just for Testing)

Python - Typeerror: 'Int' Object Is Not Iterable

Number of Days Between 2 Dates, Excluding Weekends

What's the Best Way to Find the Inverse of Datetime.Isocalendar()

Error on "Pip Install -U Channels" Command Using for Otree (Running Setup.Py Bdist_Wheel for Twisted ... Error)

Error Installing Psycopg2, Library Not Found for -Lssl

Get a List of All the Encodings Python Can Encode To


Leave a reply



Submit