Gangmax Blog

自由之思想,独立之精神

Password, Hash & Salt

| Comments

Another user data leakage event happened recently. Here is an article about how to design and implement your user/password system with good hashing/salt strategies in web applications.

Main points:

  1. Always use salt to generate password hashing.

  2. Use long enough salt.

  3. A salt can be only used once.

  4. Use a ”Cryptographically Secure Pseudo-Random Number Generator(CSPRNG)” to generate salt.

Here is a Python code snippet to do it:

salt.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import os
import base64
import hashlib

def gensalt(saltlen):
  return base64.b64encode(os.urandom(saltlen // 4 * 3)).decode('utf-8')

def genhash(password, saltstr, hashmethod = 'sha256'):
  return hashlib.new(hashmethod, (saltstr + password).encode('utf-8')).hexdigest()

for x in range(1, 11):
  password = '123456'
  saltstr = gensalt(64)
  hashstr = genhash(password, saltstr)
  print("No.1 {0}, salt is: {1}, hash is: {2}".format(x, saltstr, hashstr))

Comments