Is there a Python equvalent to PHP password_hash()?

[Pedroski55]

I will never make a living as a programmer. I struggle with everything.

As I understand it, when a user logs in, his or her password is not sent in that form, but scrambled and sent. Not sure if this is correct.

I am trying to use PHP password_hash(), take the content of a MySQL table, Column 2 and password_hash() it to the column password. It can then be checked with password_verify()

Not having much luck with that.

I am wondering if I can do this with Python. Python is a little easier for me to grasp.

I can easily import csv files into MySql, I made a little webpage which does that quite well.

So I could prepare what I need on my laptop, then import the csv to my webpage MySQL database.

Is there an exact equivalent of PHP password_hash(), using the same algorithm, in Python?

[bowlofred]

The bcrypt module has hashpw() and checkpw() functions.

https://pypi.org/project/bcrypt/

[Pedroski55]

Thanks! Very helpful!

[DeaD_EyE]

I think pbkdf2_hmac is ok to hash passwords. You don't need to install third-party dependencies.

import hashlib
import secrets


SALT = secrets.token_bytes(32) # store it somewhere
user_password_clear_text = "abc"

# hash the password
hashed_pw = hashlib.pbkdf2_hmac("sha256", user_password_clear_text.encode(), SALT, 4096)


# user comes back and enters his passowerd:
hashed_pw_verify = hashlib.pbkdf2_hmac("sha256", input("Please enter your password: ").encode(), SALT, 4096)

# now compare the hashed password from database with the hashed password from user inout
# don't use == as comparison because this allows timing attacks.
# use secrets.compare_digest

if secrets.compare_digest(hashed_pw, hashed_pw_verify):
    print("password ok")
else:
    print("password not ok")

[ndc85430]

As I understand it, when a user logs in, his or her password is not sent in that form, but scrambled and sent. Not sure if this is correct.

Hashing (and salting!) of the password is usually done on the server.

If you want to understand some of the concepts, the OWASP have a cheat sheet here.

[snippsat]

What are using to make that web-page?
Often with security is better to follow something that's made for this,it's easy to step wrong if trying to do it yourself.
Example Flask has flask-security or eg Flask-Bcrypt

• Use OWASP to guide best practice and default configurations.
  
• Migrate to more modern paradigms such as using oauth2 and JWT for token acquisition.
  
• Be more opinionated and 'batteries' included by reducing reliance on abandoned projects and bundling in support for common use cases.
  

Django follow batteries included model,Password management in Django.

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST.
This should be sufficient for most users: it’s quite secure, requiring massive amounts of computing time to break.

[snickers]

If you ever wanted to use php again check below

The problem here is you're rehashing an already hashed password im assuming if you're collecting the password column then hashing it and trying to match, I will explain how password_verify() works below.

So assuming you created your database right your password column should be something like

password VARCHAR(255);

Then when you register or insert the user you will use password_hash() on the unhashed password and store the result of that as your password in the database.

Now when you want to match you will select the password column from database and compare it with the unhashed password you have stored somewhere like this

password_verify($unhashed, $hashed);

it will return boolean result, true if it matches and false if its different.