Salting Passwords

Notes

In this lesson we look at the remaining vulnerability in our approach to password storage: rainbow tables. Our solution is to use a salt. We'll need to refactor our hashutils.py code to this end:

import hashlib
import random
import string

def make_salt():
    return ''.join([random.choice(string.ascii_letters) for x in range(5)])

def make_pw_hash(password, salt=None):
    if not salt:
        salt = make_salt()
    hash = hashlib.sha256(str.encode(password + salt)).hexdigest()
    return '{0},{1}'.format(hash, salt)

def check_pw_hash(password, hash):
    salt = hash.split(',')[1]
    if make_pw_hash(password, salt) == hash:
        return True

    return False

Code

View the final code from this lesson.

References

• Rainbow Table (Wikipedia)
• Downloadable Rainbow Tables
• Salt (Wikipedia)
• bcrypt (Wikipedia)
• scrypt (Wikipedia)