Salt and hash a password in Python

by

Based on the other answers to this question, I’ve implemented a new approach using bcrypt.

Why use bcrypt

If I understand correctly, the argument to use bcrypt over SHA512 is that bcrypt is designed to be slow. bcrypt also has an option to adjust how slow you want it to be when generating the hashed password for the first time:

# The '12' is the number that dictates the 'slowness'
bcrypt.hashpw(password, bcrypt.gensalt( 12 ))

Slow is desirable because if a malicious party gets their hands on the table containing hashed passwords, then it is much more difficult to brute force them.

Implementation

def get_hashed_password(plain_text_password):
    # Hash a password for the first time
    #   (Using bcrypt, the salt is saved into the hash itself)
    return bcrypt.hashpw(plain_text_password, bcrypt.gensalt())

def check_password(plain_text_password, hashed_password):
    # Check hashed password. Using bcrypt, the salt is saved into the hash itself
    return bcrypt.checkpw(plain_text_password, hashed_password)

Notes

I was able to install the library pretty easily in a linux system using:

pip install py-bcrypt

However, I had more trouble installing it on my windows systems. It appears to need a patch. See this Stack Overflow question: py-bcrypt installing on win 7 64bit python

More Related Contents:

  1. Why is sudo not accepting my sudo password? [closed]
  2. Salting Your Password: Best Practices? [closed]
  3. Python urllib2, basic HTTP authentication, and tr.im
  4. Why can a Python dict have multiple keys with the same hash?
  5. Why do -1 and -2 both hash to -2 in CPython? [duplicate]
  6. Where do you store your salt strings?
  7. yii CPasswordHelper: hashPassword and verifyPassword
  8. Login credentials not working with Gmail SMTP
  9. Hashing a file in Python
  10. Time complexity of accessing a Python dict
  11. Best Practices: Salting & peppering passwords?
  12. How to open a password protected excel file using python?
  13. TypeError: unhashable type: ‘dict’, when dict used as a key for another dict [duplicate]
  14. How to use pip on windows behind an authenticating proxy
  15. How to implement a good __hash__ function in python [duplicate]
  16. Why aren’t Python sets hashable?
  17. How to have password echoed as asterisks [duplicate]
  18. How to check if a user is logged in (how to properly use user.is_authenticated)?
  19. Authenticating against active directory using python + ldap
  20. Accepting email address as username in Django
  21. Django: signal when user logs in?
  22. Mark data as sensitive in python
  23. Built in Python hash() function
  24. Reversible hash function?
  25. How do I use the built in password reset/change views with my own templates
  26. Disable hash randomization from within python program
  27. Where can I find source or algorithm of Python’s hash() function?
  28. Google Authenticator implementation in Python
  29. What is a Pythonic way for Dependency Injection?
  30. Calculating a SHA hash with a string + secret key in python

Leave a Comment