Password Security
Password hashing, salting, and best practices.
Password Hashing
# Never store plain text passwords
Bad: password stored as text
Good: password_hash stored
# Modern algorithms
bcrypt # recommended
Argon2 # winner of PHC
scrypt # memory-hard
# Avoid
MD5, SHA1 # brokenbcrypt (Node.js)
const bcrypt = require("bcrypt");
# Hash password
const saltRounds = 10;
const hash = await bcrypt.hash(password, saltRounds);
# Verify password
const match = await bcrypt.compare(password, hash);Python Hashing
import hashlib
import os
# Generate salt
salt = os.urandom(32)
# Hash with salt
password_hash = hashlib.pbkdf2_hmac(
"sha256",
password.encode("utf-8"),
salt,
100000
)Password Requirements
# Minimum requirements
Length: 12+ characters
Uppercase: A-Z
Lowercase: a-z
Numbers: 0-9
Special: !@#$%^&*Best Practices
# DO
Use bcrypt or Argon2
Add unique salt per password
Set high cost factor
Use HTTPS
# DO NOT
Store plain text
Use MD5 or SHA1
Email passwords