### UNDERSTANDING PASSWORD PROTECTION AND CRACKING

Everytime you register an account, the password you decided to use goes through some steps before being saved on the database. Those steps are responsible for protecting your account from being hacked. On this Notebook, I'll explain the process of protecting it and some methods used to crack it.


### HASHING

One of the worst ways of saving a password on the database is plain text. Anyone with bad intentions could simply get the password and access the accounts from the database. 

In [23]:
username = 'JohnLennon'
password = 'LetItBe'

|  username |  JohnLennon |  
|---|---| 
| password  |  LetItBe |


To prevent that, the passwords go through a **HASH FUNCTION**. Follow the example below:

In [24]:
hashed = hash(password)
print(hashed)

6989684075308663858


|  username |  JohnLennon |  
|---|---| 
| password  |  6989684075308663858 |


Using the built-in hash function from Python, we can see that the output is way harder to figure it out than a simple plain text. **A hash function is considered a layer of security added to your password**.

The good thing about hashing is that it is **impossible** to revert the hash back to the password, and it is impossible to find 'sense' on the hashes, since even the most similars passwords give completey different hashes

In [34]:
password2 = 'password123'
password3 = 'Password123'
print(f'{password2} has a hash of {hash(password2)}')
print(f'{password3} has a hash of {hash(password3)}')

password123 has a hash of -7244937712914343059
Password123 has a hash of 4729695999618331497


### BRUTE FORCE ATTACKS

The simplest method of password cracking, called **Brute Force**, checks every possible password combination against your hash, until it finds a match.

let's take in consideration that a 10 digit password, with lower and upper letter, number and special character can have **94<sup>10</sup> unique combinations.** If your machine can hash 1000000 possible combinations per second, that would take:

In [26]:
possibilities = 94 ** 10

hashes_per_second = 1000000

seconds_in_a_year = 60*60*24*365

time_to_break = (possibilities / hashes_per_second) / seconds_in_a_year
print(str(int(time_to_break)) + ' years')

1707937 years


As you see above, it would take centuries to break a password just by randomly trying different inputs. So, another methods were developed to find a shortcut for that.

### HASHING LIMITATIONS

A limitation with hashing is that a specific password will always have the same hash output. 

In [32]:
hashed_2 = hash(password)
print(hashed)
print(hashed_2)

6989684075308663858
6989684075308663858


With enough time, anyone can create a list of possible passwords, hash then, and compare the results with your password until a match occurs. **That's How Dictionary Attacks and Rainbow Tables work**

### DICTIONARY ATTACKS - RAINBOW TABLES

In [31]:
possible_passwords = ['password123','letmein','openthedoor', 'LetItBe']

for possible_password in possible_passwords:
    possible_hashed = hash(possible_password)
    if possible_hashed == hashed:
        print(f'We found a match! your password is {possible_password}')


We found a match! your password is LetItBe


To prevent that, a random string is added to the password before it is hashed. This random string is called **SALT or PEPPER**.


## SALTING / PEPPER

By adding this random string, even the same passwords will not have the same hashes. This **prevents the use of lists to crack your password.**

Let's create a function to generate our salt, **just for the sake of explanation**, and also a function to put our salt and password together.

In [49]:
import random


def getSalt():
    charset = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
    
    salt = ''
    
    random_len = random.randrange(5,15)
    
    for x in range(0,random_len):
        salt = salt + charset[random.randrange(0,94)]
    return salt

def hash_with_salt(password):
    salt = getSalt()
    print(f"the salt used was {salt}")
    hashed_password = hash(password+salt)
    return hashed_password



Let's check the result:

In [50]:
hash_with_salt(password)

the salt used was 5%GR]hTA


-4323647285231926894

Now, if I run the same line of code, the result will be different:

In [51]:
hash_with_salt(password)

the salt used was <W.m,[\{v!OTX-


59103097397870121

The salt is saved together with the user's data on the database. Every time the user logs in, the salt is added to the inputed password, hashed and compared with the hash saved. 

In [53]:
protected_password = hash_with_salt(password)
print(protected_password)

the salt used was )>(_H}54g
-228914899963461721


|  username |  JohnLennon |  
|---|---| 
| password  |  -228914899963461721 |
| salt | )>(_H}54g |

**PEPPERS** are also random strings of data, but differently from a SALT, it is not stored with the salt on the database. They have more requirements than a SALT, but ultimately its objective is also to transform each password into an **UNIQUE** one.

This is not even a scratch on the surface of all password cracking methods and protection methods. But it is important to understand what happens behind the scenes every time we register an account.

Want to know more? Here's some links:

[Would you like some pepper on that hash?]( https://spycloud.com/would-you-like-pepper-on-that-hash/)

[NIST password recommendations]( https://spycloud.com/new-nist-guidelines/)