Summary of learning experience of adding salt to password in python

  • 2021-07-18 08:25:27
  • OfStack

What is it to encrypt a password: The password registered by users is encrypted by md5 method. The advantage of this encryption method is that it is one-way encryption, that is to say, you can deduce the password only by knowing the md5 plus password corresponding to a string of passwords in advance. Although there is a very small probability that the encrypted values of the two passwords may be equal (this phenomenon is called collision), there is basically no need to worry because the probability is extremely low. In the commonly used hashlib module, there are methods such as sha1 (), which are essentially the same as md5, except that the result is 160 bit bytes, which is usually represented by a 40-bit hexadecimal string. md5 is the most common encryption algorithm, which is generated quickly. The result is a fixed 128 bit bytes, which is usually represented by a 32-bit hexadecimal string.

What is adding salt to the password: See above, The following content is taken from Baidu Encyclopedia. It is a general definition and explanation of the rainbow table. In order to prevent hackers from using the rainbow table to reverse and steal the user's password account information in advance, it is necessary to add'salt 'to the password. In fact, simply speaking, when the md5 encryption method in the hashlib module is used, a salt you want to give is passed in, or simply generated randomly (it is safer to encapsulate the salt in a class).

Rainbow table is a pre-calculated table for cryptographic hash function inverse operation, which is prepared for cracking hash value (or hash value, thumbnail, abstract, fingerprint, hash ciphertext) of password. 1 mainstream rainbow watches are above 100G. Such a table is often used to recover fixed-length plain text passwords consisting of a finite set of characters.

Introduction to md5 and sha1 Encryption

import hashlib

md5.update('this is an example'.encode('utf-8'))
md5.update('again'.encode('utf-8')) # Remember here update The () method can be called multiple times, and you can try it yourself 1 Try. 

# Undertake the above 
sha1.update('this is an example'.encode('utf-8'))

The following uses md5 encryption and salt method to achieve simple user registration, store information in the dictionary, and then simulate login.


import hashlib,random

# Registration 

def registration(u,p):
  if u in storage:
    return 'username occupied.please choose another username...'

# Encryption method 
def get_md5(s):
  return hashlib.md5(s.encode('utf-8')).hexdigest()

# Landing 
class Users(object):
  def __init__(self,username,password):
    self.username=username #!!!!!!! Note that salt is given randomly, and every registration 1 Account number for 1 Secondary salt, encapsulated in Users Class, in the login When the comparison in the function is equal, 
    # a.salt It is the salt packaged at the time of registration, and it is the fixed salt at this time, so as long as the account password is correct, it will be fine. 
    self.salt=''.join([chr(random.randint(48,122)) for i in range(20)])

def login(user,pw):
  if user not in storage.keys():
    return 'wrong username'
    if a.password==get_md5(pw+a.salt):
      return 'succeeded'
      return 'wrong password'


The most important thing is to understand that the salt is encapsulated every time. In login function, as long as the password entered by the user + the encapsulated salt is correct, the login can be realized

Related articles: