Hashing passwords
Avoiding storing passwords in plain text is a known best practice, as software usually only needs to check whether the password provided by the user is correct, and the hash of the password can be stored and compared with the hash of the provided password. If the two hashes match, the passwords are equal; if they don't, the provided password is wrong.
Storing passwords is a pretty standard practice, and usually they are stored as a hash plus some salt. The salt is a randomly generated string that is joined with the password before hashing. Being randomly generated, it ensures that even hashes of equal passwords get different results.
The Python standard library provides a pretty complete set of hashing functions, some of them very well-suited to storing passwords.
How to do it...
Python 3 introduced key derivation functions, which are especially convenient when storing passwords. Both pbkdf2
and scrypt
are provided. While scrypt
is more robust against attacks as it's both memory...