๐ Introduction to Password Hashing
Password hashing is the process of transforming a password into a fixed-size string of characters using a one-way function. This makes it computationally infeasible to reverse the process and recover the original password if the hash is compromised. This is a cornerstone of web application security, protecting user credentials from theft and misuse.
๐ History and Background
Early systems stored passwords in plaintext, which was highly insecure. The introduction of hashing algorithms like MD5 and SHA-1 improved security, but these algorithms were eventually found to be vulnerable to attacks. Modern systems now use more robust algorithms like bcrypt, scrypt, and Argon2, which are designed to be computationally expensive and resistant to various attack vectors.
๐ Key Principles of Password Hashing
- ๐ง Salting: Adding a unique, random string to each password before hashing. This prevents attackers from using precomputed tables of common password hashes (rainbow tables).
- ๐ถ๏ธ Pepper: A secret, globally applied key to the password before hashing. This is stored securely on the server and adds another layer of protection.
- ๐ช Key Stretching: Repeating the hashing process multiple times to increase the computational cost. This makes brute-force attacks more difficult.
- ๐ก๏ธ Adaptive Hashing: Algorithms that can be configured to increase the computational cost as hardware improves, maintaining security over time.
๐ป Real-World Examples in Python
Python's bcrypt library provides a secure and easy-to-use way to hash passwords. Hereโs how you can use it:
First, install the library:
pip install bcrypt
Here's a sample code:
import bcrypt
def hash_password(password):
# Generate a salt
salt = bcrypt.gensalt()
# Hash the password
hashed_password = bcrypt.hashpw(password.encode('utf-8'), salt)
return hashed_password
def verify_password(password, hashed_password):
# Verify the password against the hash
return bcrypt.checkpw(password.encode('utf-8'), hashed_password)
# Example usage
password = "MySecurePassword123"
hashed = hash_password(password)
print("Hashed password:", hashed)
# Verification
if verify_password(password, hashed):
print("Password verified!")
else:
print("Password verification failed!")
Another example using PBKDF2HMAC from hashlib:
import hashlib
import os
def hash_password_pbkdf2(password):
# Generate a random salt
salt = os.urandom(16)
# Hash the password using PBKDF2HMAC
hashed_password = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt,
100000 # Number of iterations
)
return salt, hashed_password
def verify_password_pbkdf2(password, salt, hashed_password):
# Hash the provided password with the same salt
new_hashed_password = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt,
100000
)
return new_hashed_password == hashed_password
# Example usage
password = "AnotherStrongPassword"
salt, hashed = hash_password_pbkdf2(password)
print("Salt:", salt)
print("Hashed password:", hashed)
# Verification
if verify_password_pbkdf2(password, salt, hashed):
print("Password verified!")
else:
print("Password verification failed!")
And another example using Argon2:
import argon2
def hash_password_argon2(password):
# Create a password hasher
ph = argon2.PasswordHasher()
# Hash the password
hashed_password = ph.hash(password)
return hashed_password
def verify_password_argon2(password, hashed_password):
# Verify the password against the hash
try:
ph = argon2.PasswordHasher()
return ph.verify(hashed_password, password)
except argon2.exceptions.VerifyMismatchError:
return False
# Example usage
password = "YetAnotherPassword"
hashed = hash_password_argon2(password)
print("Hashed password:", hashed)
# Verification
if verify_password_argon2(password, hashed):
print("Password verified!")
else:
print("Password verification failed!")
๐ Comparison Table of Hashing Algorithms
| Algorithm |
Strengths |
Weaknesses |
Use Cases |
| bcrypt |
Strong, widely used, adaptive. |
Relatively slow. |
Web application passwords. |
| PBKDF2 |
Standard, configurable iteration count. |
Can be vulnerable with low iteration counts. |
Password storage, key derivation. |
| Argon2 |
Modern, memory-hard, resistant to various attacks. |
Relatively new, may not be supported everywhere. |
Password storage, key derivation. |
๐ก Best Practices
- ๐ Regularly Rehash: Rehash passwords periodically using a new salt and updated algorithms.
- ๐ Secure Storage: Store salts and pepper securely, separate from the password hashes.
- โ ๏ธ Avoid Deprecated Algorithms: Do not use MD5 or SHA-1 for password hashing.
- ๐งช Test Thoroughly: Ensure your password hashing implementation is robust and secure by performing penetration tests.
- ๐ก๏ธ Implement Rate Limiting: Protect against brute-force attacks by limiting the number of login attempts.
๐ Conclusion
Password hashing is a critical component of web application security. By understanding the principles and using secure algorithms like bcrypt, PBKDF2, and Argon2, you can protect user credentials and build more secure systems. Always stay updated with the latest security best practices to mitigate potential vulnerabilities.