What is hashing?
Hashing is an algorithm that is used to transform data of any length into a fixed length and is only one way. What this means is that you there is not a purpose to reverse hashing. The hashed the passwords would live hashed in a password database for the rest of their lives. When a user wants to authenticate, the password gets hashed and then the hashes are compared to see if they match character for character. There many different hashing algorithms, they different by:
All of which will determine how secure they are.
import hashlib dude = hashlib.sha256("mypassword").hexdigest() print(dude)
What is Salt or Salting?
Salt is random data, bit/bytes, that is used to make a unique direction for a hash. Instead of just telling something to hash this password, the salt gives it a more unique one off hash that will give the hackers one more layer to dig through.
import hashlib import string import random def id_generator(size=6, chars=string.ascii_uppercase + string.digits + string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size)) salt = id_generator(25) dude = hashlib.sha256("mypassword" + salt).hexdigest() print(dude)
What is encryption?
It’s like hashing, but it’s two way. If a person or computer wants to read or digest something in plain text but needs to be encrypted to safety send it to the recieptient, in order to do this, a key is needed. A key is used to encrypt and decrypt the password, so it is important to save it in a secure location. For example, do not leave it on a shared drive that everyone has access to.
For example, an encrypted email is:
- typed up in clear text
- read in clear text
What are the recommended Hashing Methods?
Important, it’s recommended to alway use a hash plus salt. Hackers have many ways to calculate what the stored clear text value is:
- rainbow tables
- reverse lookup tables
- lookup tables
All of these methods:
- hash a clear text password
- evaluate if it matches that hash they found/hacked
- if it matches, they now know you password
In other words, they can perform a brute force attack on a hash with out having to attempt to authenticate. Once they have found and hash/password match, they will now know your password.
If the password or value is salted or has extra bits added, then even if they are able to brute force hack it (which is unlikely), they will only have a clear text value that is useless.
What is Key Stretching?
Key Stretching is a method of creating a key by giving it a unique length and some extra random bits via salt.
What are the recommended Encryption Methods?
Secure Hashing Python Modules
bcrypt – The current defacto for hashing passwords. Keys can also be generated as well. It is still new (2012) so it is not widely adopted.
PBKDF2 – More of a Key Hashing, but can be used to hash passwords. The key is needed for encryption.
Secure Encryption Python Modules
>>> from Crypto.Cipher import AES >>> obj = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456') >>> message = "The answer is no" >>> ciphertext = obj.encrypt(message) >>> ciphertext '\xd6\x83\x8dd!VT\x92\xaa`A\x05\xe0\x9b\x8b\xf1' >>> obj2 = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456') >>> obj2.decrypt(ciphertext) 'The answer is no'
Hacky way to just use base64 with “Salting” or “Padding”
Base64 Without Salting
password = 'mypassword12345' hashed = base64.b64encode(password) print(password) print(hashed) print(base64.b64decode(hashed))
mypassword12345 bXlwYXNzd29yZDEyMzQ1 mypassword12345
Base64 With Salting
import string import random def id_generator(size=6, chars=string.ascii_uppercase + string.digits + string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size)) # Save this somewhere so you know what to strip out salt = id_generator(25) password = 'mypassword12345' hashed = base64.b64encode(password + salt) print(salt) print(password) print(hashed) print(base64.b64decode(hashed))
SUVCo6V2JUo0dITspOjR0N6OF mypassword12345 bXlwYXNzd29yZDEyMzQ1U1VWQ282VjJKVW8wZElUc3BPalIwTjZPRg== mypassword12345SUVCo6V2JUo0dITspOjR0N6OF