Skip to main content

It's Called Hashing,Hashing, Printing the Hash , Salty, Second User ,

 It's Called Hashing

One of the big issues with storing usernames and passwords in a database is what happens if we're hacked?
If those passwords are stored as text, our users' security is compromised. Probably across multiple sites because they ignored our advice and used the same password for everything!!!!!
Hashing 
In reality, organizations don't store your actual password. They store a hash of your password. A hash is produced by turning your password into a sequence of numbers, then passing it though a hashing algorithm (some mathematical process that is very difficult to reverse engineer). The data spit out of this hashing algorithm is what's stored instead of your actual password.


πŸ‘‰ So let's do it. I'm using the built-in hash function to create a numerical hash of the password 


password = "baldy1"
password = hash(password)
print(password)
# This will output a really long number 


πŸ‘‰ Now let's store that hashed version in our database instead of the actual password.


from replit import db
userName = "david"
password = "baldy1"
password = hash(password)
db[userName] = password # Stores the hashed password in the database under the username key 'david'
print(password) 

Printing the Hash


πŸ‘‰ Now I can output the value from the database using print. Notice how it outputs the hash. That will be useless to a hacker. They cannot easily reverse engineer the password from the hash.


from replit import db
print(db["david"])


πŸ‘‰ Let's build the login system that checks the stored hash against a hash of the input.


from replit import db
ask = input("Password >") # Get the input
ask = hash(ask) # Hash the input
if ask == db["david"]: #compare hash of input to stored hash.
  print("Login successful")

 
Oooh, Salty!

Hashing is great, but enterprising hackers have created their own database containing hashes of pretty much every word and common password around.
So chances are, if you use a common password or everyday word, then there's a hash of it sitting around on the internet somewhere just waiting for a reverse lookup.
To help combat this, we can generate a random value and append it to the end of your password before hashing. This random value is called a salt.
πŸ‘‰ Let's salt our password hash from before.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}" # append the salt
newPassword = hash(newPassword) # hash the lot
print(newPassword) 


Second User

πŸ‘‰ If we have a second user with the same password, the uniquely generated salt (I've just made them up in these examples) will produce a completely different hash.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)
password = "Baldy1"
salt = 39820
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)



πŸ‘‰ To deal with this, we'd need our database to store the hashed password and the salt. We do this using a dictionary.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)
db["david"] = {"password":newPassword, "salt": salt}

πŸ‘‰ Now let's update the login system to pull the salt from the database, append it to the password entered and then hash the lot. After that, we can compare it to the stored hash of password and salt from the previous example.


from replit import db
ans = input("Password >") # Get the input
salt = db["david"]["salt"] # Get the salt from the database.
newPassword = f"{ans}{salt}"
newPassword = hash(newPassword) # Hash the concatenated string
if newPassword == db["david"]["password"]: #compare hash of newPassword to stored hash.
  print("Login successful")

Comments

Post a Comment

Popular posts from this blog

Web Scraping

 Web Scraping Some websites don't have lovely APIs for us to interface with. If we want data from these pages, we have to use a tecnique called scraping. This means downloading the whole webpage and poking at it until we can find the information we want. You're going to use scraping to get the top ten restaurants near you. Get started πŸ‘‰ Go to a website like Yelp and search for the top 10 reastaurants in your location. Copy the URL.   url = "https://www.yelp.co.uk/search?find_desc=Restaurants&find_loc=San+Francisco%2C+CA%2C+United+States"   Import libraries πŸ‘‰ Import your libraries. Beautiful soup is a specialist library for extracting the contents of HTML and helping us parse them. Run the Repl once your imports are sorted because we want the Beautiful Soup library to be installed (it'll run quicker this way). import requests from bs4 import BeautifulSoup url = "https://www.yelp.co.uk/search?find_desc=Restaurants&find_loc=San+Francisco%2C+CA%2C+Unite...
Post a Comment
Read more

Hide & Remove,Come Back!,

 Hide & Remove DISCLAIMER: I promise the good stuff is coming back. We have to go through the valley to get to the mountain, right? Sometimes, we want to remove a button, image or piece of text from the screen. To do this, we use pack_forget(). πŸ‘‰ We'll start with our default tkinter program. import tkinter as tk window = tk.Tk() window.title("Hello World")  window.geometry("300x200")  hello = tk.Label(text = "Hello World")  hello.pack()  button = tk.Button(text = "Click me!")  button.pack() tk.mainloop() πŸ‘‰ Now I'm going to add a new subroutine to hide the label and call it on a button click. import tkinter as tk window = tk.Tk() window.title("Hello World")  window.geometry("300x200")  # New subroutine def hideLabel():   hello.pack_forget() # Removes the 'hello' label hello = tk.Label(text = "Hello World")  hello.pack()  button = tk.Button(text = "Click me!", command = hideLabel) # Call...
Post a Comment
Read more