Web-based services and websites store hashed versions of your passwords, which means your actual password isn’t visible or stored in their database instead a string of fixed-length characters is stored.
Hashing is a security technique used to secure your passwords or texts stored in databases. A hash function is used to generate a string of unique fixed-length characters from the provided password by the user.
Let’s see how the hashing is done. In this article, you’ll use the bcrypt library to hash the user’s password and then compare that hashed password to the actual password in Python. You’ll also learn more about the bcrypt library.
Installing bcrypt
Open your terminal window and run the following command to install the bcrypt
library using pip.
1 |
pip install bcrypt |
Now that the bcrypt
is installed in your system, the next step is to use it for hashing the user’s password.
Hash Password using bcrypt
In this section, you’ll see the functions provided by the bcrypt
library that will help you generate salt and hash values.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
import bcrypt # Password to Hash my_password = b'Sachinfromgeekpython' # Generating Salt salt = bcrypt.gensalt() # Hashing Password hash_password = bcrypt.hashpw( password=my_password, salt=salt ) print(f"Actual Password: {my_password.decode('utf-8')}") # Print Hashed Password print(f"Hashed Password: {hash_password.decode('utf-8')}") |
The above code imports the bcrypt
library for hashing the password. A test password is provided in bytes and is stored inside the my_password
variable.
The code uses the gensalt()
function from the bcrypt
library to generate the salt, a string of characters to enhance security.
The salt is a random and unique string of characters combined with the password before hashing to provide additional security, it will always be unique, if two users have the same password, their hashed passwords will be different.
Then the actual password (my_password
) and salt (salt
) are passed to the hashpw()
function from the bcrypt
library to produce the hash value of the actual password.
Finally, the actual and hashed passwords are decoded and printed.
1 2 |
Actual Password: Sachinfromgeekpython Hashed Password: $2b$12$RF6JLXecIE4qujuPgTwkC.GN2BsOmGf8Ji10LyquoBaHkHWUWgiAm |
Check Password using bcrypt
Now that you’ve hashed the password, the next step is to verify the actual password’s hash value against the user-provided password.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
import bcrypt # Password to Hash my_password = b'Sachinfromgeekpython' # Generating Salt salt = bcrypt.gensalt() # Hashing Password hash_password = bcrypt.hashpw( password=my_password, salt=salt ) # User-provided Password user_password = b'Sachinfromgeekpython' # Checking Password check = bcrypt.checkpw( password=user_password, hashed_password=hash_password ) # This will print True or False print(check) # Verifying the Password if check: print("Welcome to GeekPython.") else: print("Invalid Credential.") |
The above code uses the checkpw()
function from the bcrypt
library to check the user-provided password against the hashed password. The hashed password (hash_password
) and user-provided password (user_password
) are passed inside the function and the result is stored inside the check
variable.
Then the code prints the check
variable to obtain the result. In the end, an if-else
statement is used to verify the password.
1 2 |
True Welcome to GeekPython. |
True
in the output above indicates that the hashed password matches the user-provided password, making the first condition true.
Hash Password Using KDF (Key Derivation Function)
KDF (Key Derivation Function) is used to add additional security in password hashing. KDFs are used to derive keys from passwords for authentication purposes while including salt and the number of rounds.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
import bcrypt password = b'Sachinfromgeekpython' salt = bcrypt.gensalt() # Using KDF from bcrypt Lib key = bcrypt.kdf( password=password, salt=salt, desired_key_bytes=32, rounds=200 ) # Print Generated Key print(f"Key: {key}") |
The above code uses the kdf()
function from the bcrypt
library to derive a key from the password. The function is passed with four parameters:
password
: This parameter is set to thepassword
variable which contains a byte string.salt
: This parameter is set to thesalt
variable that contains a unique and fixed-length salt.desired_key_bytes
: This parameter is set to32
which is the desired length of the derived key we want. You can set it to your own desired length.rounds
: This parameter is set to200
which is the number of iterations to make the derivation of the key more computationally intense to increase security. The higher the rounds more the security but the more it uses resources and time.
Finally, the result stored in the key
variable is printed.
1 |
Key: b'\xc4#VW\x9a\x16\xdbG?\x11\xa9\xf7\xbd\x88"7+zxo\xfe@\xce\xab\x89\xc3g\x1c\xec~\xbe\xf7' |
Verifying the Password with KDF
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
import bcrypt password = b'Sachinfromgeekpython' salt = bcrypt.gensalt() # Using KDF from bcrypt Lib key = bcrypt.kdf( password=password, salt=salt, desired_key_bytes=32, rounds=200 ) # User-provided Password user_password = b'Sachinfromgeekpython' # Deriving Key from User-provided Password user_key = bcrypt.kdf( password=user_password, salt=salt, desired_key_bytes=32, rounds=200 ) # Verifying the Password if user_key == key: print("Welcome to GeekPython.") else: print("Invalid Credential.") |
The code derives the key from the user-provided password (user_password
) and stores it inside the user_key
variable.
Then the code verifies the derived keys from the user-provided password (user_key
) and the actual password (password
).
1 |
Welcome to GeekPython. |
The output indicates that the key derived from the user-provided password matches the key derived from the actual password.
Customizing Salt
The gensalt()
function accepts two parameters: rounds
and prefix
, which allow you to customize the number of rounds of hashing to apply to the salt and prefix of the salt.
1 2 3 4 5 6 7 8 9 10 |
import bcrypt # Customize Salt salt = bcrypt.gensalt( rounds=30, prefix=b'2a' ) # Print Generated Salt print(salt.decode('utf-8')) |
The above code customizes the salt generation by passing the rounds
parameter which is set to 30
and the prefix
parameter which is set to b'2a'
to the gensalt()
function.
1 |
$2a$30$5uKaXaXVceqCjmKkPf2mnu |
You can notice that in the beginning after $
, above provided 2a
is prefixed, and just after that 30
indicates the number of rounds.
Conclusion
Password hashing prevents exposing the user’s actual password to the attackers. The hash function, which is simply a mathematical function is used to produce the hash value of the password.
In this article, you’ve learned to hash the user’s password using the bcrypt
library in Python and then check the produced hash value against the user-provided password. Additionally, you’ve seen the KDF (Key Derivation Function) that adds additional security for hashing.
πOther articles you might be interested in if you liked this one
β Different methods to convert bytes into a string in Python.
β Create a WebSocket server and client in Python.
β Create multi-threaded Python programs using a threading module.
β Comparing the accuracies of 4 different pre-trained deep learning models?
β Upload and display images on the frontend using Flask.
β How does the learning rate affect the ML and DL models?
That’s all for now
Keep Codingββ