Flask Tutorial Web Development with Python 18 - Password Hashing with Passlib

sentdex · Beginner ·🛠️ AI Tools & Apps ·11y ago

Key Takeaways

This video tutorial demonstrates password hashing using Passlib and SHA-256 crypt in a Flask web development application, highlighting the importance of protecting user passwords and preventing hash table attacks.

Full Transcript

hello everybody and welcome to the 18th part of our practical flash tutorial series in this video we're going to be talking a little bit more about password hashing so in our init.pi file here we saw how we were using passlip.hash and shot 256 crypt and then we saw down here uh that we're actually we're using that immediately when we encrypt this password and then we saw in the database what that actually looked like but then the question is if uh you know how secure is it if every time the hash is identical so how do we actually how do how should we hash passwords and uh and then how do we actually verify that the hash is the same so uh i think the best way instead of telling you is to just show you so let's go ahead and we'll come into our you know flash toots like main directory here and make sure you're in var www flask flask flask ass flask app uh slash flask app and now we're gonna go uh new file and we're just gonna call it pwhash.pi that'll bring up a pi file here and in here we're gonna go ahead and do from passlive.hash import sha 256 underscore crypt and then here we're going to have a password equal something and then password to equals something for now we're going to say password the original password will be shot 256 crypt dot encrypt um and then we'll say password we'll just say the password literally is password so this will be basically the encrypted version of uh let's say this will be kind of like the registered password right so this will be this is mimicking the path we took when these are registered this is what we did to the string version of whatever they entered for password here we're saying they entered password then password two will act will kind of surmise i suppose that this is okay now the user is actually logging in and uh they're going to do shots when they log in they're going to enter a password and we're going to do a sha 256 crypt on the encrypt encrypted version of whatever they enter and let's say uh they too enter password so that these should be um identical or at least the user input was identical but if we just use a simple hash uh even with shot let's say shot 256 hash if we just use a simple hash what ends up happening is every time someone types in password the hash will always be the same it will always look identical and as i showed before in the database two users had the same password with which was actually the number five but the hash of their number five password was different it wasn't same and so if you just use a simple hash what's gonna end up happening or what can happen is people have massive hash tables and you only need to generate that hash table one time once it's generated it's generated and people sell these hash tables or you can actually probably find one for free nowadays and so then all someone would have to do is search for their that hash that they found in that hash table and they would know what the password was that's not good so what ends up happening is you hash with what is called assault and assault is just an arbitrary additional batch of letters and maybe numbers and symbols or whatever to the original user enter password you can append it to the end you can put it in the middle you can do all kinds of stuff but again if you use the same salt every single time all someone would need at that point is just to know your salt or guess your salt and if they have access to your pat or your database uh you can actually kind of derive what the salt is even and so that's obviously not the best either so we're going to be using hash or pass lib hash and you'll see how we can actually use different salts or different methodology and what that actually causes um is pretty cool so password password two and then we'll print let's print out password and print password to so what is this that we're printing out we're printing out the value the hash the sha 256 hash of password and password these are hashes of identical uh strings of text right absolutely the same right you can see that right here so let's save that and there's our file so now we just need to do python pw pi let's run it and you can see that yes indeed here we have one and here we have another one and they are not identical let's run that one more time and then you can see that these ones again are not identical so sometimes it has to do with the order like the first one the second one the third one with python as far as randomly picking assault and randomly picking true random is actually really difficult to find in computers and a lot of flaws in encryption type services like two-factor authentication or uh generating let's say wallet ids like private public and private keys for wallets for bitcoin let's say that's where a lot of them fail is in the randomness and if someone can predict the randomness because the computer can't actually be random uh that we we have problems so anyways this isn't meant to be a tutorial on encryption i'm by no means an expert but anyways you can see that the hashes are not identical we could go even further to actually you know question we could say you know if password equals password two colon um print yay else uh print you know something simple like this uh failure okay save that and we can run this one more time and we can see that it says failure that they did not match okay so that's not good so how do we actually verify these well luckily for us that is also included in passlib so now we can do is we can actually say print sha 256 underscore crypt dot verify and uh we're going to verify that let's say um because basically what we're trying to do is let's say your your password here in your database is literally password uh so we're going to try to compare the users enter so okay so your database contains a hash so we want to compare something to a hash so our question would be compare what do we want to compare well we want to compare the string password uh to the hash of what well we want to compare the string password to the hash of uh password okay so the variable basically um okay so we'll save that and now we'll come over to our script run it and we see that it returns the boolean of true that they are identical so again what this is mimicking is when a user goes to login whatever they type as their username password that's what you would put right here and then you want to verify that hash because that's going to be um event well actually that one doesn't really need to be hashed because we're not actually going to do anything with that we're going to immediately take that and then when we verify it it will be hashed and then you're going to compare it and make sure that's verifiable against the original hash but again if someone wants to get your database every hash even for identical passwords is different so if someone wanted to figure out someone's password because generally they want that user's password because what they're looking for is the user's email and then they want the password and then from their users email they can find out you know where do they have accounts on what kind of websites they have accounts what are their interests that kind of stuff and if they have their password a lot of people use the same password pretty much everywhere so you just need their email a lot of times the user's email and the password to that email is the same as the usernames password on that website so when people get data dumps they might get you know 10 000 users and it might be the case that 9 500 users are smart but 500 are stupid and that's what they're after they're after the passwords in relation to the emails or maybe in relation to the username especially if it's you know a website that maybe has more sensitive data on it a website like pythonprogramming.net not really they're not interested in stealing your account or anything like that on there but what they would be interested in is your password in relation to your email and then they would try to find any accounts that use that email online they would try to find any connected accounts with different emails they would try basically variations of that password on your email and any other accounts that use that email so anyway when you have something like this it's not impossible but it's very difficult for someone to actually figure out what your password might be because they could even guess that your password is password but when they compare when they run that through there's no way for them to really truly know if those are identical unless of course they use the string the same pass lib but if you were looking at past lib you would find there's actually some unique characteristics in the back end of pass lib that will kind of protect you even from from that but if they i suppose got on your server you might be in a little trouble anyway um enough on that again not an encryption expert by any means but this is the method that you would want to use i know that uh flask does have like a flask login thing i was really unhappy with it so if you want to check that out go for it see if you can use it comfortably i didn't really like it and i found passlip instead because the main thing that you need is passlib you need to protect those user passwords and you never want to pass around those passwords in plain text so as soon as the password is input you need to convert it other than that you know how you handle the rest of the system can sometimes be confusing but that's why we're having a tutorial on it so uh that's it for this video just wanna show you how password hashing works and should work if you have any questions or comments please feel free to leave them below otherwise as always thank you for watching thanks for all the support and subscriptions and until next time

Original Description

Welcome to part 18 of our Flask web development tutorial, in this video we discuss the concept of password hashing for your user system. It is a big mistake to store user passwords in plain-text. You need to be protecting this information, and the method most accepted for this is password hashing. We're going to be using the Python module called Passlib for this. sample code: http://pythonprogramming.net http://seaofbtc.com http://sentdex.com http://hkinsley.com https://twitter.com/sentdex Bitcoin donations: 1GV7srgR4NJx4vrk7avCmmVQQrqmv87ty6
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from sentdex · sentdex · 0 of 60

← Previous Next →
1 Matplotlib Python Tutorial Part 1: Basics and your first Graph!
Matplotlib Python Tutorial Part 1: Basics and your first Graph!
sentdex
2 Python Encryption Tutorial with PyCrypto
Python Encryption Tutorial with PyCrypto
sentdex
3 Python's Logging Function
Python's Logging Function
sentdex
4 wxPython Tutorials 1: Making Windows GUIs with Python : Installing + 1st window!
wxPython Tutorials 1: Making Windows GUIs with Python : Installing + 1st window!
sentdex
5 wxPython Tutorials 2: Making Windows GUIs with Python: Customizing Window Parameters
wxPython Tutorials 2: Making Windows GUIs with Python: Customizing Window Parameters
sentdex
6 wxPython Programming Tutorial 3: Menu Bar and Menu Button
wxPython Programming Tutorial 3: Menu Bar and Menu Button
sentdex
7 wxPython Programming Tutorial 4: Panels
wxPython Programming Tutorial 4: Panels
sentdex
8 wxPython Programming Tutorial 5: User Input Saved To Variables
wxPython Programming Tutorial 5: User Input Saved To Variables
sentdex
9 wxPython Programming Tutorial 6: Multiple Choice Input
wxPython Programming Tutorial 6: Multiple Choice Input
sentdex
10 wxPython Programming Tutorial 7: Adding Static Text and Colors
wxPython Programming Tutorial 7: Adding Static Text and Colors
sentdex
11 wxPython Programming Tutorial 8: Custom Button Images
wxPython Programming Tutorial 8: Custom Button Images
sentdex
12 wxPython Programming Tutorial 9: Tool Bar Items and Sub Menus!
wxPython Programming Tutorial 9: Tool Bar Items and Sub Menus!
sentdex
13 Basic PHP Tutorial 13: Multi-dimensional Array
Basic PHP Tutorial 13: Multi-dimensional Array
sentdex
14 Basic PHP Tutorial 15: Functions and Global Variables
Basic PHP Tutorial 15: Functions and Global Variables
sentdex
15 Basic PHP Tutorial 12: Associative Array
Basic PHP Tutorial 12: Associative Array
sentdex
16 Basic PHP Tutorial 14: Foreach loop
Basic PHP Tutorial 14: Foreach loop
sentdex
17 Basic PHP Tutorial 16: Include and Require
Basic PHP Tutorial 16: Include and Require
sentdex
18 Basic PHP Tutorial 7: Assignment, comparison and Logical operators
Basic PHP Tutorial 7: Assignment, comparison and Logical operators
sentdex
19 Basic PHP Tutorial 4: Variables and Comments
Basic PHP Tutorial 4: Variables and Comments
sentdex
20 Basic PHP Tutorial 11: Arrays part 1, basic array
Basic PHP Tutorial 11: Arrays part 1, basic array
sentdex
21 Basic PHP Tutorial 6: If else and else if conditionals cont'd
Basic PHP Tutorial 6: If else and else if conditionals cont'd
sentdex
22 Basic PHP Tutorial 1: Intro to PHP
Basic PHP Tutorial 1: Intro to PHP
sentdex
23 Basic PHP Tutorial 3: HTML with PHP
Basic PHP Tutorial 3: HTML with PHP
sentdex
24 Basic PHP Tutorial 9: While Loop
Basic PHP Tutorial 9: While Loop
sentdex
25 Basic PHP Tutorial 10: Switch Statement
Basic PHP Tutorial 10: Switch Statement
sentdex
26 Basic PHP Tutorial 2: Print and Echo
Basic PHP Tutorial 2: Print and Echo
sentdex
27 Basic PHP Tutorial 5: If else and else if conditional statements
Basic PHP Tutorial 5: If else and else if conditional statements
sentdex
28 Basic PHP Tutorial 8: Arithmatic Operators: Doing math with php
Basic PHP Tutorial 8: Arithmatic Operators: Doing math with php
sentdex
29 Basic PHP Tutorial 17: User Input Form Example / String Manipulation
Basic PHP Tutorial 17: User Input Form Example / String Manipulation
sentdex
30 Basic PHP Tutorial 18: HTML Entities and forms cont'd
Basic PHP Tutorial 18: HTML Entities and forms cont'd
sentdex
31 Basic PHP Tutorial 19: Finding words in strings
Basic PHP Tutorial 19: Finding words in strings
sentdex
32 Basic PHP Programming Tutorial 20: Saving to a File / writing and appending
Basic PHP Programming Tutorial 20: Saving to a File / writing and appending
sentdex
33 Basic PHP Programming Tutorial 22: Hashing part 2: salting
Basic PHP Programming Tutorial 22: Hashing part 2: salting
sentdex
34 Basic PHP Programming Tutorial 23: Variables in Strings and tokenizing
Basic PHP Programming Tutorial 23: Variables in Strings and tokenizing
sentdex
35 Basic PHP Programming Tutorial 21: MD5 Hashing For Security
Basic PHP Programming Tutorial 21: MD5 Hashing For Security
sentdex
36 Basic PHP Programming Tutorial 24: String similarity
Basic PHP Programming Tutorial 24: String similarity
sentdex
37 Basic PHP Programming Tutorial 25: Time and Time stamps
Basic PHP Programming Tutorial 25: Time and Time stamps
sentdex
38 Basic PHP Programming Tutorial 26: Die and Exit
Basic PHP Programming Tutorial 26: Die and Exit
sentdex
39 Basic PHP Programming Tutorial 27: MySQL Databases Part 1
Basic PHP Programming Tutorial 27: MySQL Databases Part 1
sentdex
40 Basic PHP Programming Tutorial 28: MySQL Database Part 2: Reading From Database
Basic PHP Programming Tutorial 28: MySQL Database Part 2: Reading From Database
sentdex
41 Basic PHP Programming Tutorial 29: MySQL Database Part 3: Inputting Data
Basic PHP Programming Tutorial 29: MySQL Database Part 3: Inputting Data
sentdex
42 Basic PHP Programming Tutorial 30: MySQL database in Use
Basic PHP Programming Tutorial 30: MySQL database in Use
sentdex
43 Django Tutorial Web Development with Python Part 1: Installing Django
Django Tutorial Web Development with Python Part 1: Installing Django
sentdex
44 Python Tutorial: File Deletion and Folder Deletion / directory deletion
Python Tutorial: File Deletion and Folder Deletion / directory deletion
sentdex
45 Python Tutorial: How to Rename Files and Move Files with Python
Python Tutorial: How to Rename Files and Move Files with Python
sentdex
46 3D Graphs in Matplotlib for Python: Basic 3D Line
3D Graphs in Matplotlib for Python: Basic 3D Line
sentdex
47 3D Plotting in Matplotlib for Python: 3D Scatter Plot
3D Plotting in Matplotlib for Python: 3D Scatter Plot
sentdex
48 3D Charts in Matplotlib for Python: Multiple datasets scatter plot
3D Charts in Matplotlib for Python: Multiple datasets scatter plot
sentdex
49 Sikuli Tutorial 1: Visually programming in python!
Sikuli Tutorial 1: Visually programming in python!
sentdex
50 Sikuli Tutorial 2: Program visually in python!
Sikuli Tutorial 2: Program visually in python!
sentdex
51 Sikuli Tutorial 3: Program visually in python!
Sikuli Tutorial 3: Program visually in python!
sentdex
52 3D Bar Charts in Python and Matplotlib
3D Bar Charts in Python and Matplotlib
sentdex
53 3D Plane wire frame Graph Chart in Python
3D Plane wire frame Graph Chart in Python
sentdex
54 Raspberry Pi Part 1 Introduction
Raspberry Pi Part 1 Introduction
sentdex
55 Raspberry Pi Part 8: First Download and Update! (Firmware)
Raspberry Pi Part 8: First Download and Update! (Firmware)
sentdex
56 Raspberry Pi Part 10: How to set up a Linux Web Server on your Pi
Raspberry Pi Part 10: How to set up a Linux Web Server on your Pi
sentdex
57 Raspberry Pi Part 11: Remote Desktop
Raspberry Pi Part 11: Remote Desktop
sentdex
58 Twitter Analysis: How to rank a user's influence
Twitter Analysis: How to rank a user's influence
sentdex
59 GPIO Tutorial for Pi Part 2 - Programming the GPIO
GPIO Tutorial for Pi Part 2 - Programming the GPIO
sentdex
60 GPIO Tutorial for Raspberry Pi Part 1 - Setting up
GPIO Tutorial for Raspberry Pi Part 1 - Setting up
sentdex

This video teaches how to use Passlib and SHA-256 crypt for password hashing in Flask web development, emphasizing the importance of password protection and data security. By following this tutorial, viewers can learn how to implement secure password hashing and prevent common attacks.

Key Takeaways
  1. Create a new file for password hashing
  2. Import Passlib's SHA-256 crypt
  3. Hash the user-entered password with SHA-256 crypt and a salt
  4. Print the hashed password
  5. Use Passlib's verify function to compare input strings to hashes
💡 Using a library like Passlib with unique characteristics, such as random salt, can protect against certain types of attacks, like hash table attacks.

Related AI Lessons

Up next
Salesforce Flow New Features (Summer '26) | Open Record, URL & Show Toast Messages
AITECHONE
Watch →