Hashed Password for User login in Python

Hello everyone! My name is Renardo Williams and this blog is about using hashed password for user login in Python.

Whenever there is an app or program that requires users to have a profile or anything similar. Login and verification is almost always necessary. To do this we must store login credentials for login and for verifying a user in a database, But imagine if we stored this data as plain text, then an attacker finds a database of plaintext passwords, they can easily be used in combination with matching emails to login to the associated site/account and even used to attempt to log into other accounts since a lot of people use the same password.

To hide this sensitive data we can hash passwords when a password is provided. By doing this we ensure that passwords are securely stored in the database by using encrypting hashing techniques.

I will be going over a few blocks of code for implementing a simple login system using hashed password in Python and SQLAlchemy. This system ensures that passwords are securely stored in the database by using hashlib library.

hashlib:

This is a Python library that provides interfaces for various secure hash and message digest algorithms, including SHA-256.

Hashing:

This is a one-way function that transforms a password into a fixed-length string of characters, making it computationally infeasible to reverse-engineer the original password.

@classmethod    
    def register_user(cls,email,password):
        hashed_password = cls.hash_password(password)        
        user = User(email=email, hashed_password=hashed_password)
        session.add(user)
        session.commit()

@classmethod
    def hash_password(cls,password):
        return sha256(password.encode()).hexdigest()

In the code above register_user() This class method for registering a new user. It takes the class itself, email and a password. After getting a email and password it calls the hash_password() method with the password as an argument. This method then uses the hashlib.sha256() method to hash the password and returns the hashed password as a hexadecimal string. A new user object is then created and initializes it with the provided email and hashed password. Adds the new user object to a session using SQLAlchemy. Commits the session to persist the new user in the database.

encode():

This method converts the password from a string to bytes using the UTF-8 encoding. Because hash functions works on byte sequences and not strings.

hexdigest():

This method is applied to the SHA-256 hash object. It converts the binary digest (hash value) into a hexadecimal string representation. Storing the hash as a hexadecimal string makes it easy to store in databases and transmit over networks.

@classmethod
def verify_password(cls, plain_password, hashed_password):
    return cls.hash_password(plain_password) == hashed_password

@classmethod
def authenticate_user(cls,email,password):
    user = session.query(User).filter(User.email == email).first()
    if user and cls.verify_password(password, user.hashed_password):
       return user

The code above is used to verify and user for login, verify_password(): This method takes a password and a hashed password as parameters. It uses the hash_password() class method (which computes the SHA-256 hash of a password) to hash the plain password and then compares the resulting hash with the provided hashed password. If they are the same the method returns True if the passwords match and False otherwise.

authenticate_user(): This class method is used for user authentication. It takes an email and a password as parameters. It queries the database for a user with the provided email using the session object. If a user is found and the password verification using verify_password() is successful it returns the user object, Thus authenticating the user.

These code snippets were taken from my Phase-3 Flatiron project https://github.com/Renardo1985/phase-3-python-cli-project. I used this simple implementing of hashed passwords in my user login system. By hashing passwords, you can significantly reduce the impact of data breaches and ensure your users' information remains confidential.

Credits

https://nitratine.net/blog/post/how-to-hash-passwords-in-python/
https://docs.python.org/3/library/hashlib.html
https://www.w3resource.com/python-exercises/cybersecurity/python-cybersecurity-exercise-1.php
https://saturncloud.io/blog/whats-the-recommended-hashing-algorithm-to-use-for-stored-passwords/#: