Password Hashing - Python
What is Password Hashing
Passwords are something that pretty much everyone has! And, under the Data Protection Act of 1998(UK), all passwords must be kept safe and secure. If a hacker gains access to passwords, then you are responsible for not keeping them secure.
So, what's the solution?
Password hashing is converting passwords to a string of characters that can't be turned back into the password. Think of it like this:
I've written a Python script to hash a string.
So, what does this do?
werkzeug is a python package developed by palletsprojects, the creators of the Flask framework.
tools in German.
werkzeug has a security file with a function called
generate_password_hash. This hashes the password that you pass to it. You also need to pass a hashing method to it. I used
sha256 which is one of the most popular hashing methods.
Once hashed, the password becomes a long string of letters and numbers. The
ha256 at the beginning of the hashed password defines the hashing method that was used.
The benefits of hashing a password are that:
- You can't find the original password with our knowledge of maths.
- The original password isn't stored in the database, so data is useless to hackers
- More security for websites on Replit
@ruiwenge2, you might want to integrate hashing into your websites!
How to hash
As I mentioned earlier,
werkzeug is a great python module for hashing!
generate_password_hashhashes the password that you give it.
check_password_hashcan be used to check if the inputted password is the same as the hashed password. More on this later.
You might think that you could hash the inputted password and compare it to the password in the database, but you can't because it gets hashed differently. This is demonstrated here:
Now, let's check if these passwords are the same:
check_password_hash, you need to pass the hashed password, and the raw password to check it with. If the passwords are the same,
check_password_hash will return
True. If it isn't, you'll get
This is how you can check passwords on websites (or apps!) to make sure that they are secure and can't be accessed by anyone!
It's always possible to convert codes back and forth though.
Someone could find a complex method to reverse that.
you should always make your password hashes salty, or even peppery. https://cyberhoot.com/cybrary/password-salting/
This method can not generate unsalted passwords but it is possible to set param method=’plain’ in order to enforce plaintext passwords.
@Highwayman Oh, the method does that itself by default. You can learn more here: https://werkzeug.palletsprojects.com/en/2.0.x/utils/#Security%20Helpers
@Highwayman If you're talking about
check_password_hash then idk how it works. Just that it works. The module is open-source if you want to see the code for the functions.
No offense, but I think Replit DB (
db) is a better option, it doesn't use as much data and it is easy. You don't need to go through all this hassle, but btw good job!
The point of hashing passwords is that you can't unhash them. This makes it secure because if you put the hashed password in, then it will hash the hashed password it won't be the same as the original password. And, you can't get back to the original password so if the data gets stolen then it doesn't matter as much. Though you still might get prosecuted under the Data Protection Act of 1998(UK).
For ReplitDB as far as I know, it stores information in plaintext and anyone can get it if they know the database id/link. And as that's the Repl id(I think) it isn't too hard to get.
Anyway this is really easy! You just use one
importstatement and then a function around the password you're storing and a function against the password you're checking.
You could even use this with Replit DB to store the hashed passwords!