Gangmax Blog

Password, Hash & Salt

Another user data leakage event happened recently. Here is an article about how to design and implement your user/password system with good hashing/salt strategies in web applications.

Main points:

  1. Always use salt to generate password hashing.

  2. Use long enough salt.

  3. A salt can be only used once.

  4. Use a “Cryptographically Secure Pseudo-Random Number Generator(CSPRNG)” to generate salt.

Here is a Python code snippet to do it:

salt.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import os
import base64
import hashlib

def gensalt(saltlen):
	return base64.b64encode(os.urandom(saltlen // 4 * 3)).decode('utf-8')

def genhash(password, saltstr, hashmethod = 'sha256'):
	return hashlib.new(hashmethod, (saltstr + password).encode('utf-8')).hexdigest()

for x in range(1, 11):
	password = '123456'
	saltstr = gensalt(64)
	hashstr = genhash(password, saltstr)
	print("No.1 {0}, salt is: {1}, hash is: {2}".format(x, saltstr, hashstr))

Comments