Salting, peppering, and hashing passwords

preview_player
Показать описание
What can a hacker do when a database is leaked?
Use coupon code MCODING at checkout for up to 91% off all yearly hosting plans!

Your password database just leaked. What info does the hacker get and what can they do with it if you used plaintext passwords, hashed passwords, salted hashed passwords, or peppered salted hashed passwords?

In this video we will talk about hashes, salts, and peppers, which can be used to more securely store passwords in your application's database. We use builtin secure Python primitives. Big open source libraries like Flask and Django use these techniques.

Note: DO NOT WRITE YOUR OWN CRYPTO. This video is for educational purposes to explain the purpose and benefits of salting and peppering, it is not an example of secure production code.
Note: Hash functions used in hashing passwords should be purposefully and configurably slow so that it takes an attacker a long time to check hashes even offline, making it more time-consuming to crack even weak passwords.

SUPPORT ME ⭐
---------------------------------------------------

Top patrons and donors:
John M, Laura M, Pieter G, Vahnekie, Sigmanificient

BE ACTIVE IN MY COMMUNITY 😄
---------------------------------------------------

CHAPTERS
---------------------------------------------------
0:00 Intro
0:39 DB Leaks
1:14 Plaintext
2:35 Hashes
4:39 Salts
6:14 Peppers
8:14 Closing remarks
  1. mCoding
  2. password security
  3. salt password
  4. pepper password
  5. hash password
  6. cryptography
Рекомендации по теме
Salting, peppering, and 0:08:56

Salting, peppering, and hashing passwords

Password Hashing, Salts, 0:04:30

Password Hashing, Salts, Peppers | Explained!

How to salt 0:05:21

How to salt and pepper passwords?

Password Salting 0:06:38

Password Salting & Peppering

Password Storage Tier 0:10:16

Password Storage Tier List: encryption, hashing, salting, bcrypt, and beyond

Salted Password Scheme 0:01:56

Salted Password Scheme - Applied Cryptography

Playing with Hashing 0:11:39

Playing with Hashing 03: Salting and Peppering

System Design: How 0:03:44

System Design: How to store passwords in the database?

Password Sicherheit mit 0:12:09

Password Sicherheit mit Hashfunktionen und Salt

What is salting 0:00:58

What is salting and hashing? #techexplained #tech

Passwörter WÜRZEN (SALT, 0:06:41

Passwörter WÜRZEN (SALT, PEPPER)

How System Administrators 0:03:19

How System Administrators Protect Your Passwords: Understanding Salting, Peppering, and Hashing

Why do we 0:03:31

Why do we need Salt and Pepper while storing passwords?

Adding Salt to 0:18:18

Adding Salt to Hashing: A Better Way to Store Passwords

What is password 0:04:06

What is password hashing? [Simplified]

Foundations of Cryptography 0:08:57

Foundations of Cryptography 2-6: Salt, Pepper, Key-Stretching

How to Hash 0:00:45

How to Hash A Password In Python

Python Password Salting 0:03:56

Python Password Salting and Peppering

How to Store 0:15:47

How to Store Passwords - A Tutorial on Hashing and Salting

Passwörter sicher speichern 0:16:00

Passwörter sicher speichern (Hashing) 🔹 Web Security (German)

What is a 0:00:58

What is a salted password? Can salted passwords be cracked? Latest Video

Password Hashing & 0:11:18

Password Hashing & Hacking

Salting Passwords 0:04:56

Salting Passwords

Decrypt Md5 Hashed 0:00:20

Decrypt Md5 Hashed Password Using hashlib in Python

Комментарии
Автор

This has got to be one of the best Python channels on YouTube. Really great material, interesting topics, in-depth but not overwhelming, and not sensationalized but still engaging. Keep it up!

atrus
Автор

To recap, use a pot to bake some varied sprinkling of salt, a single non-locally sourced twist of pepper, over some hash pwns. But also keep your kitchen clean to avoid leaks. Happy cooking!

komodiT
Автор

I once heard about peppers in a slightly different way: when initially saving a password, a very short (1-2 characters) random sequence (pepper) is generated and hashed together with the salt and password. the pepper is not saved anywhere at all. when verifying the password, the application itself has to "crack" the password by trying all the possible peppers. this increases password validation time by a factor of x (e.g. 26 for a single lowercase letter) which should be neglible (anything below 500ms is completely fine). however, this also increases the time needed to crack the password by the same factor, making it much harder for an attacker to crack the password offline

jemand
Автор

Python is not a language I usually work with but this channel is just so interesting and its teachings are so horizontal to most programming language that i can not stop watching it 😂

samuellebot
Автор

Use a unique, strong password for every site and service? Yeah. I do that. It’s called a password manager.

A glossary term: Precomputed hashes are called rainbow tables, and by now the ones available are _massive._ Just a hash should be considered as bad as plaintext.

This was a fantastic explanation of password hashing, salts, and peppers. Very good for everyone to know these things.

liesdamnlies
Автор

I love these security videos, they're awesome! I'm really learning a lot! Thanks mCoding!

georgesanderson
Автор

chad security: just hash it, if someone has a password that can be cracked within a year its his their own fault

edit: this comment is not a joke

Ganerrr
Автор

Never knew about peppers before! You mentioned that peppers could be stored in a "secure memory enclave." What is a secure memory enclave, and how would it be different or more secure than the database?

(Also, Discord gang)

NobleMushtak
Автор

This channel is so consistently excellent in that you provide very clear, succinct and approachable introductions to each topic you cover. Absolutely fantastic. Great explanation of the utility of salts

AnilKeshwani
Автор

Another fantastic video! I learned a lot. Hopefully more frameworks will support pepper soon. That's a really interesting trick.

alexwhb
Автор

I hope you can make a sequel to this video discussing algorithms like SHA, Bcrypt, Scrypt and the differences in using them for authentication

xarros
Автор

here from the community post. for some reason, youtube is really good at recommending those but not videos 🤔

SomeRandomFellow
Автор

Hey that's pretty cool. I've never heard of peppers before. Learned something new today!

Sonyim
Автор

Great video, this is the first time that I actually understood the concepts of salt and pepper

itsalongday
Автор

I have heard of pepper before, but I completely forgot what it was, and this video was helpful to me

LunaDragofelis
Автор

1:11 - As someone whose been writing Python code for 11+ years, one of the new changes to Python3 that always surprises me when I see it is type-hinting. After learning Java a few years ago, I understand the appeal and the benefits, but if you want actual static typing, Cython seems a more robust answer.

SorFig
Автор

Thank you for this video. Another security, which I think should be brought in any case, is that you should save the salt in its own column. Currently you save everything in one column. This means that if a potential hacker gets the hash of the password, he can immediately get the salt as well. But if the salt is stored in a separate column, the hacker must also be able to get to the column with the salt. This increases the security a bit.

piriyaie
Автор

I don't know *anything* about cryptography, but that is now slowly changing. It's interesting the clever defensiveness you need to take to protect against hackers. Another solid vid!

Mutual_Information
Автор

Thank you for videos - it one of best (if not the best) channels i've seen for intermediate-advanced python, and importantly, introducing functionality or ideas that are not commonly used. Importantly, it is also very short and sweet, and cuts to the chase. Really well done!

jackhuangly
Автор

Great! A clear example of how Salt and Pepper work.

anthonyfontana