Skip to main content

It's Called Hashing,Hashing, Printing the Hash , Salty, Second User ,

 It's Called Hashing

One of the big issues with storing usernames and passwords in a database is what happens if we're hacked?
If those passwords are stored as text, our users' security is compromised. Probably across multiple sites because they ignored our advice and used the same password for everything!!!!!
Hashing 
In reality, organizations don't store your actual password. They store a hash of your password. A hash is produced by turning your password into a sequence of numbers, then passing it though a hashing algorithm (some mathematical process that is very difficult to reverse engineer). The data spit out of this hashing algorithm is what's stored instead of your actual password.


πŸ‘‰ So let's do it. I'm using the built-in hash function to create a numerical hash of the password 


password = "baldy1"
password = hash(password)
print(password)
# This will output a really long number 


πŸ‘‰ Now let's store that hashed version in our database instead of the actual password.


from replit import db
userName = "david"
password = "baldy1"
password = hash(password)
db[userName] = password # Stores the hashed password in the database under the username key 'david'
print(password) 

Printing the Hash


πŸ‘‰ Now I can output the value from the database using print. Notice how it outputs the hash. That will be useless to a hacker. They cannot easily reverse engineer the password from the hash.


from replit import db
print(db["david"])


πŸ‘‰ Let's build the login system that checks the stored hash against a hash of the input.


from replit import db
ask = input("Password >") # Get the input
ask = hash(ask) # Hash the input
if ask == db["david"]: #compare hash of input to stored hash.
  print("Login successful")

 
Oooh, Salty!

Hashing is great, but enterprising hackers have created their own database containing hashes of pretty much every word and common password around.
So chances are, if you use a common password or everyday word, then there's a hash of it sitting around on the internet somewhere just waiting for a reverse lookup.
To help combat this, we can generate a random value and append it to the end of your password before hashing. This random value is called a salt.
πŸ‘‰ Let's salt our password hash from before.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}" # append the salt
newPassword = hash(newPassword) # hash the lot
print(newPassword) 


Second User

πŸ‘‰ If we have a second user with the same password, the uniquely generated salt (I've just made them up in these examples) will produce a completely different hash.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)
password = "Baldy1"
salt = 39820
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)



πŸ‘‰ To deal with this, we'd need our database to store the hashed password and the salt. We do this using a dictionary.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)
db["david"] = {"password":newPassword, "salt": salt}

πŸ‘‰ Now let's update the login system to pull the salt from the database, append it to the password entered and then hash the lot. After that, we can compare it to the stored hash of password and salt from the previous example.


from replit import db
ans = input("Password >") # Get the input
salt = db["david"]["salt"] # Get the salt from the database.
newPassword = f"{ans}{salt}"
newPassword = hash(newPassword) # Hash the concatenated string
if newPassword == db["david"]["password"]: #compare hash of newPassword to stored hash.
  print("Login successful")

Comments

Post a Comment

Popular posts from this blog

Automate! Automate!

 Making this customizable πŸ‘‰So how about making our search user customizable? In the code below, I have: Asked the user to input an artist (line 14) Tidied up their input (line 15) formatted the search URL as an fString that includes the artist (line 19) Here's tAutomate! Automate! We are so close. I can taste it, folks! Massive kudos on getting this far! Today's lesson, however, will work best if you have one of Replit's paid for features (hacker plan or cycles). Free plan Repls 'fall asleep' after a while. Automation kinda relies on the Repl being always on. If you have hacker plan or you've bought some cycles, then you can enable always on in the drop down menu that appears when you click your Repl name (top left).he code: This is important because when our repl is always running, it can keep track of time and schedule events. πŸ‘‰ I've set up a simple schedule that prints out a clock emoji every couple of seconds. It works like this: Import schedule librar...
Post a Comment
Read more

HTTP & Sessions

 HTTP & Sessions One of the main protocols (rules that govern how computers communicate) on the web is called HTTP. HTTP is what is known as a stateless protocol. This means that it doesn't 'remember' things. It's a bit like having a conversation with a goldfish. You can ask a question and get a reply, but when you ask a follow up question, the original has already been forgotten, as has who you are and what you were talking about. So if HTTP is stateless, how come my news site remembers to give me the weather for my home town, my preferred South American river based online store tells me when it's time to order more multivitamins, and I'm justifiably proud of my #100days success streak? The answer is......... Sessions Sessions are a way of storing files on your computer that allows a website to keep a record of previous 'conversations' and 'questions' you've asked. By using sessions, we can store this info about the user to access later....
Post a Comment
Read more

Incoming!

 Incoming! Today, we're going to learn how to deal with data from forms in Flask. πŸ‘‰ To start, I've added yesterday's HTML code for my form in main.py for you already. (You're welcome!) Go take a look! πŸ‘‰ However, at the moment, the app.route() has no method associated with it, so I need to create a route for this page to receive the data. First, I need a new import: request. Then I create the app.route - I also need to add an extra argument to specify the methods being received. At the moment, that's just 'post', but it does need to be ALL CAPS - POST. Finally I define the process() subroutine that returns request.form πŸ‘‰ Here's the new code on its own: from Flask import Flask, request app.route('/process', methods=["POST"]) def process():   return request.form πŸ‘‰ And here it is as part of the whole code: from flask import Flask, request app = Flask(__name__) app.route("/process", methods=["POST"]) def process():   ...
Post a Comment
Read more