Hashing passwords is a common way to store passwords securely in databases.
Systems that need to verify their users when they log in would need to store a list of correct passwords. However, storing passwords in
To combat this vulnerability, storing hashes of passwords is a good way to hinder the intents of a hacker even if they are to get access to the passwords.
When a new password is created, the system calculates the hash and stores it instead of the password. Similarly, when a user enters a password to log in, the system simply needs to recompute the hash and compare that against the stored hash for verification purposes. If a hacker gets access to the list of hashes, they still can’t determine the original passwords easily.
The SHA-256 algorithm generates a unique 256-bit cryptographic hash from the provided data. SHA-256 is considered to generate unique hashes because it is assumed to be collision-free. Realistically, this algorithm can create hashes that collide too. However, because there are a total of
It should be noted that SHA-256 is not the ideal algorithm to use for hashing passwords, because its computations are very quick. Quick computation means it’s also easy for hackers to compute hashes and brute force their way to the correct password. Instead, algorithms with a slower calculation speed should be preferred, such as bcrypt or scrypt.
Below, we see how we can use SHA-256 to compute hashes for passwords in Python:
import hashlibdef hashPassword(password):encoded = password.encode("utf-8")hashed = hashlib.sha256(encoded)return hashed.hexdigest()if __name__ == "__main__":password = "co#cG091!@"print("Original password:", password)password = hashPassword(password)print("Hashed password:", password)
We utilize the hashlib
library for our purpose, which contains the sha256
algorithm that we would like to use. The hashlib
library also contains many other hashing algorithms such as md5
, sha1
, sha512
, etc.
On lines 3–6, we define the function hashPassword
, which we utilize to hash our password. Note that we first encode the password before passing it to the hashlib.sha256
function. The reason for this is that the sha256
algorithm is unable to accept input parameters of type string. Therefore, we first need to encode our password before hashing it.
Disclaimer: In the widget below, we can see that we get a
TypeError
when we try to usesha256
without encoding our password.
import hashlibdef hashPassword(password):# encoded = password.encode("utf-8")hashed = hashlib.sha256(password)return hashed.hexdigest()if __name__ == "__main__":password = "co#cG091!@"print("Original password:", password)password = hashPassword(password)print("Hashed password:", password)
hexdigest
Similarly, we do not return the result of the sha256
function in its raw form. Instead, we extract its hexdigest
and return it, so that our hash is presented in hexadecimal digits.
In the widget below, we can see that we get a hash object instead of a hash when we don’t extract the hexdigest
:
import hashlibdef hashPassword(password):encoded = password.encode("utf-8")hashed = hashlib.sha256(encoded)return hashedif __name__ == "__main__":password = "co#cG091!@"print("Original password:", password)password = hashPassword(password)print("Hashed password:", password)
In conclusion, while the SHA-256 algorithm provides a straightforward and secure method for hashing passwords, it has limitations due to its fast computation speed, which can potentially expose passwords to brute-force attacks. For applications requiring stronger password security, using algorithms like bcrypt
or scrypt
is recommended, as they are designed to slow down the hashing process, making it more resilient against such attacks. However, understanding SHA-256 and its application in password hashing, as outlined in this guide, is an important step in grasping how modern password security protocols are implemented and highlights the necessity of choosing the right tools for protecting sensitive user data.
Free Resources