Salt and Hash Example Using Python With Bcrypt on Alpine

This is a post on a example of how to hash a password with a salt. A salt in cryptography is a method that applies a one way function to hash data like passwords.

The advantage of using salts is to protect your sensitive data against dictionary attacks, etc. Everytime a salt is applied to the same string, the hashed string will provide a different result.

Installing Bcrypt

I will be using bcrypt to hash my password. I always use alpine images and this is how I got bcrypt running on alpine:

$ docker run -it apline sh
$ apk add python python-dev py2-pip autoconf automake g++ make --no-cache
$ pip install py-bcrypt

This command should produce a 0 exit code:

$ python -c 'import bcrypt'; echo $?

Bcrypt Example to Hash a Password

Here is a example to show you the output when a salt is applied to a string, such as a password. First we will define our very weak password:

>>> import bcrypt
>>> password = 'pass123'
>>> password
'pass123'

The bcrypt package has a function called gensalt() that accepts a parameter log_rounds which defines the complexity of the hashing. Lets create a hash for our password:

>>> bcrypt.hashpw(password, bcrypt.gensalt(12))
'$2a$12$iquyyyJAlA9nZwlGo0CYK.J37Qn.to/0mTtiCspNAyO8778006XZG'

>>> bcrypt.hashpw(password, bcrypt.gensalt(12))
'$2a$12$UzNjJ1W/cWqBrt5rzNkb..j.gUvrW64DbvVkNbhRDzBtbRvNInaqq'

As you can see, the hashed string was different when we called it for the second time.

Bcrypt Salt Hash and Verification Example:

Thanks to this post, here is a example on how to hash strings and how to verify the plain text password with the provided salt.

Our functions to create the hash and to verify the password:

>>> import bcrypt
>>> def get_hashed_password(plain_text_password):
...     return bcrypt.hashpw(plain_text_password, bcrypt.gensalt())
...
>>>
>>> def check_password(plain_text_password, hashed_password):
...     return bcrypt.checkpw(plain_text_password, hashed_password)
...
>>>

Create a hashed string:

>>> print(get_hashed_password('mynewpassword'))
$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gm

Verify the hash with your plain text password and the salt that was created:

>>> print(check_password('mynewpassword', '$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gm'))
True

When you you provide the wrong password, with the correct salt, the verification will fail:

>>> print(check_password('myOLDpassword', '$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gm'))
False

When you provide the correct password with the incorrect salt, the verification will also fail:

>>> print(check_password('mynewpassword', '$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gmX'))
False