Salt and Hash Example Using Python With Bcrypt on Alpine
This is a post on a example of how to hash a password with a salt. A salt in cryptography is a method that applies a one way function to hash data like passwords.
The advantage of using salts is to protect your sensitive data against dictionary attacks, etc. Everytime a salt is applied to the same string, the hashed string will provide a different result.
Installing Bcrypt
I will be using bcrypt to hash my password. I always use alpine images and this is how I got bcrypt running on alpine:
$ docker run -it apline sh
$ apk add python python-dev py2-pip autoconf automake g++ make --no-cache
$ pip install py-bcrypt
This command should produce a 0 exit code
:
$ python -c 'import bcrypt'; echo $?
Bcrypt Example to Hash a Password
Here is a example to show you the output when a salt is applied to a string, such as a password. First we will define our very weak password:
>>> import bcrypt
>>> password = 'pass123'
>>> password
'pass123'
The bcrypt package has a function called gensalt()
that accepts a parameter log_rounds
which defines the complexity of the hashing. Lets create a hash for our password:
>>> bcrypt.hashpw(password, bcrypt.gensalt(12))
'$2a$12$iquyyyJAlA9nZwlGo0CYK.J37Qn.to/0mTtiCspNAyO8778006XZG'
>>> bcrypt.hashpw(password, bcrypt.gensalt(12))
'$2a$12$UzNjJ1W/cWqBrt5rzNkb..j.gUvrW64DbvVkNbhRDzBtbRvNInaqq'
As you can see, the hashed string was different when we called it for the second time.
Bcrypt Salt Hash and Verification Example:
Thanks to this post, here is a example on how to hash strings and how to verify the plain text password with the provided salt.
Our functions to create the hash and to verify the password:
>>> import bcrypt
>>> def get_hashed_password(plain_text_password):
... return bcrypt.hashpw(plain_text_password, bcrypt.gensalt())
...
>>>
>>> def check_password(plain_text_password, hashed_password):
... return bcrypt.checkpw(plain_text_password, hashed_password)
...
>>>
Create a hashed string:
>>> print(get_hashed_password('mynewpassword'))
$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gm
Verify the hash with your plain text password and the salt that was created:
>>> print(check_password('mynewpassword', '$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gm'))
True
When you you provide the wrong password, with the correct salt, the verification will fail:
>>> print(check_password('myOLDpassword', '$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gm'))
False
When you provide the correct password with the incorrect salt, the verification will also fail:
>>> print(check_password('mynewpassword', '$2a$12$/MemcgbnwJLN8XE86VQZseVxopU6tY76KxnH/AJ0I9T9y1Ldko5gmX'))
False