Skip to main content

It's Called Hashing,Hashing, Printing the Hash , Salty, Second User ,

 It's Called Hashing

One of the big issues with storing usernames and passwords in a database is what happens if we're hacked?
If those passwords are stored as text, our users' security is compromised. Probably across multiple sites because they ignored our advice and used the same password for everything!!!!!
Hashing 
In reality, organizations don't store your actual password. They store a hash of your password. A hash is produced by turning your password into a sequence of numbers, then passing it though a hashing algorithm (some mathematical process that is very difficult to reverse engineer). The data spit out of this hashing algorithm is what's stored instead of your actual password.


πŸ‘‰ So let's do it. I'm using the built-in hash function to create a numerical hash of the password 


password = "baldy1"
password = hash(password)
print(password)
# This will output a really long number 


πŸ‘‰ Now let's store that hashed version in our database instead of the actual password.


from replit import db
userName = "david"
password = "baldy1"
password = hash(password)
db[userName] = password # Stores the hashed password in the database under the username key 'david'
print(password) 

Printing the Hash


πŸ‘‰ Now I can output the value from the database using print. Notice how it outputs the hash. That will be useless to a hacker. They cannot easily reverse engineer the password from the hash.


from replit import db
print(db["david"])


πŸ‘‰ Let's build the login system that checks the stored hash against a hash of the input.


from replit import db
ask = input("Password >") # Get the input
ask = hash(ask) # Hash the input
if ask == db["david"]: #compare hash of input to stored hash.
  print("Login successful")

 
Oooh, Salty!

Hashing is great, but enterprising hackers have created their own database containing hashes of pretty much every word and common password around.
So chances are, if you use a common password or everyday word, then there's a hash of it sitting around on the internet somewhere just waiting for a reverse lookup.
To help combat this, we can generate a random value and append it to the end of your password before hashing. This random value is called a salt.
πŸ‘‰ Let's salt our password hash from before.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}" # append the salt
newPassword = hash(newPassword) # hash the lot
print(newPassword) 


Second User

πŸ‘‰ If we have a second user with the same password, the uniquely generated salt (I've just made them up in these examples) will produce a completely different hash.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)
password = "Baldy1"
salt = 39820
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)



πŸ‘‰ To deal with this, we'd need our database to store the hashed password and the salt. We do this using a dictionary.


from replit import db
password = "Baldy1"
salt = 10221
newPassword = f"{password}{salt}"
newPassword = hash(newPassword)
print(newPassword)
db["david"] = {"password":newPassword, "salt": salt}

πŸ‘‰ Now let's update the login system to pull the salt from the database, append it to the password entered and then hash the lot. After that, we can compare it to the stored hash of password and salt from the previous example.


from replit import db
ans = input("Password >") # Get the input
salt = db["david"]["salt"] # Get the salt from the database.
newPassword = f"{ans}{salt}"
newPassword = hash(newPassword) # Hash the concatenated string
if newPassword == db["david"]["password"]: #compare hash of newPassword to stored hash.
  print("Login successful")

Comments

Post a Comment

Popular posts from this blog

Web Scraping

 Web Scraping Some websites don't have lovely APIs for us to interface with. If we want data from these pages, we have to use a tecnique called scraping. This means downloading the whole webpage and poking at it until we can find the information we want. You're going to use scraping to get the top ten restaurants near you. Get started πŸ‘‰ Go to a website like Yelp and search for the top 10 reastaurants in your location. Copy the URL.   url = "https://www.yelp.co.uk/search?find_desc=Restaurants&find_loc=San+Francisco%2C+CA%2C+United+States"   Import libraries πŸ‘‰ Import your libraries. Beautiful soup is a specialist library for extracting the contents of HTML and helping us parse them. Run the Repl once your imports are sorted because we want the Beautiful Soup library to be installed (it'll run quicker this way). import requests from bs4 import BeautifulSoup url = "https://www.yelp.co.uk/search?find_desc=Restaurants&find_loc=San+Francisco%2C+CA%2C+Unite...
Post a Comment
Read more

HTTP & Sessions

 HTTP & Sessions One of the main protocols (rules that govern how computers communicate) on the web is called HTTP. HTTP is what is known as a stateless protocol. This means that it doesn't 'remember' things. It's a bit like having a conversation with a goldfish. You can ask a question and get a reply, but when you ask a follow up question, the original has already been forgotten, as has who you are and what you were talking about. So if HTTP is stateless, how come my news site remembers to give me the weather for my home town, my preferred South American river based online store tells me when it's time to order more multivitamins, and I'm justifiably proud of my #100days success streak? The answer is......... Sessions Sessions are a way of storing files on your computer that allows a website to keep a record of previous 'conversations' and 'questions' you've asked. By using sessions, we can store this info about the user to access later....
Post a Comment
Read more

Client/Server Logins

 Client/Server Logins Waaay back when we learned about repl.db, we mentioned the idea of a client/server model for storing data in one place and dishing it out to multiple users. This model is the way we overcome the issue with repl.db of each user getting their own copy of the database. Well, now we can use Flask as a webserver. We can build this client server model to persistently store data in the repl (the server) and have it be accessed by multiple users who access the website via the URL (the clients). Get Started Previously, we have built login systems using Flask & HTML. We're going to start with one of those systems and adapt it to use a dictionary instead. πŸ‘‰ First, let's remind ourselves of the way the system works. Here's the Flask code. Read the comments for explanations of what it does: from flask import Flask, request, redirect # imports request and redirect as well as flask app = Flask(__name__, static_url_path='/static') # path to the static fil...
Post a Comment
Read more