You must never keep a password in plaintext while confirming a user or doing something similar.
Since many individuals use the same password, if an attacker discovers a database of unencrypted passwords, they can easily be used in conjunction with matching emails to enter into the linked website or account and even used to try to access other accounts.
Passwords are often hashed today when a password is supplied. It is advised to hash with salt and keep the salt together with the hashed password.
Salting might seem like one of the steps in a recipe for hash browns, but in cryptography, it refers to adding random data to a hash function’s input to ensure that the hash will always provide a unique result even if the inputs are identical.
As a result, the distinctive hash created by adding the salt can defend us from several attack methods, including hash table assaults, while stifling dictionary and brute-force offline attempts.
Here, with the aid of code snippets, we’ll demonstrate how to use ‘bcrypt’ to secure your passwords.
So, what is ‘bcrypt’?
Bcrypt is a hashing library that supports several languages and provides special password encryption. To increase the security of your password, it automatically produces additional random characters (salt) when encrypting your string.
You can also choose to define how many additional characters you wish to add to an incoming string.
The bcrypt library only reads byte code, not raw strings. Therefore, before submitting an incoming password string to bcrypt for encryption, you must first encode it.
Encrypting and encoding are not the same things. It just makes sure a string is machine-readable prior to being covered up by an encryption technique.
Using bcrypt to Encrypt a Password in Python
Python makes bcrypt password encryption simple. We’ll concentrate on doing this without the aid of a framework. But don’t worry, if you understand how to save user inputs and read them from the database, the procedure is the same in frameworks.
You only need to set up a Python virtual environment and then utilize an IDE like PyCharm. The library must then be installed first:
Let’s see how to use bcrypt to encrypt a text after it has been installed:
The aforementioned Python code executes and outputs an encrypted byte string. But every time you run the script, the result is different. Bcrypt uses this method to make sure every user has a password that is specifically encrypted.
That, incidentally, is for password encryption.
Password Comparison and Confirmation Using Bcrypt
What happens if you wish to save the hashed password and check later to see whether it matches the password a user submitted for authentication?
That’s simple. Only the authenticating password must be compared to the database’s entry (or in memory in this case).
The authenticating password must also be encoded before being compared to the one in the database because bcrypt can only read byte strings. Basically, you’ll compare an encoded authentication input to the encoded hashed password you currently have in your database.
Let’s test this out by using fictitious Python inputs:
Upon running the aforementioned code, you are prompted for a new password. This is saved in memory by Python. In the authenticating section, you will then enter the same password, which is private to you.
If the password is compared and the one that was previously encrypted and saved the match, Python emits a success message.
If not, the error message is printed out and then the else sentence is added.
The fundamental idea is identical to that of registering and then supplying a password to a database for authentication.
Even while we have simply used encrypted passwords to show how bcrypt functions in plain Python short memory, its actual applicability lies in user-base apps.
Nevertheless, this article demonstrates the essential methods to organize your code to accomplish this, even in real-world circumstances.
For instance, if you’re using Flask, you can provide the registration and authentication fields via separate web forms instead of inputs.
Of course, while comparing passwords, you’ll read from a database that contains encrypted passwords that are kept in the real world.