### UNDERSTANDING PASSWORD PROTECTION AND CRACKING

Everytime you register an account, the password you decided to use goes through some steps before being saved on the database. Those steps are responsible for protecting your account from being hacked. On this Notebook, I'll explain the process of protecting it and some methods used to crack it.


### HASHING

One of the worst ways of saving a password on the database is plain text. Anyone with bad intentions could simply get the password and access the accounts from the database. To prevent that, the passwords go through a **HASH FUNCTION**. Follow the example below:

In [25]:
password_input = 'MyAwEsOmEpAsSwOrD'
password = hash(password_input)
print(password)

-8866156935385158131


Using the built-in hash function from Python, we can see that the output is way harder to figure it out than a simple plain text. **A hash function is considered a layer of security added to your password**.

The good thing about hashing is that it is impossible to revert the hash back to the password, and it is impossible to find 'sense' on the hashes, since even the most similars passwords give completey different hashes

In [26]:
password2 = 'password123'
password3 = 'Password123'
print(f'{password2} has a hash of {hash(password2)}')
print(f'{password3} has a hash of {hash(password3)}')

password123 has a hash of -5424465327534797983
Password123 has a hash of 4315389960516702057


The simplest method of password cracking, called **Brute Force**, checks every possible password combination against your hash, until it finds a method. Taking in consideration that a 10 digit password, with lower and upper letter, number and special character can have 94<sup>10</sup> unique combinations, this method can take years to find a result.

The problem with only hashing is that a specific password will always have the same hash output. With enough time, anyone can create a list of possible passwords, hash then, and compare the results with your password until a match occurs. **That's How Dictionary Attacks and Rainbow Tables work**

In [27]:
possible_passwords = ['password123','letmein','openthedoor', 'MyAwEsOmEpAsSwOrD']

for possible_password in possible_passwords:
    hashed = hash(possible_password)
    if hashed == password:
        print(f'We found a match! your password is {possible_password}')


We found a match! your password is MyAwEsOmEpAsSwOrD


To prevent that, a random string is added to the password before it is hashed. This random string is called **SALT**.
By adding this random string, even the same passwords will not have the same hashes. This prevents the use of lists to crack your password. Let's create a function to generate our salt, just for the sake of explanation, and also a function to put our salt and password together.

In [31]:
import random

def getSalt():
    salt = ''
    salt_list = ['a','b','c','d','1','2','3','4']
    for x in range(0,10):
        salt = salt + salt_list[random.randrange(0,7)]
    return salt

def hash_with_salt(password):
    salt = getSalt()
    hashed_password = hash(password+salt)
    return hashed_password



Let's check the result:

In [29]:
hash_with_salt(password_input)

-1098913288288582688

Now, if I run the same line of code, the result will be different:

In [30]:
hash_with_salt(password_input)

8938975145748758614

Now the chances of having the same hash using the same password is minimal. That makes each password **unique**

This is not even a scratch on the surface of all password cracking methods and protection methods. But it is important to understand what happens behind the scenes every time we register an account.