**Name:**

**Section:**

---

# **bcrpyt**
* Cryptographic Hash Functions (CHFs) are used not just for file verification but also for **secure password storage**.
* A basic approach to authentication is **storing usernames and passwords in a database**.
* When a user logs in, the server checks if the provided credentials match the stored ones.
* However, **storing passwords in plaintext is risky**—if hackers access the database, they can steal every password.
* A safer method is **hashing**, which converts passwords into irreversible data, making them unreadable even if stolen.
* Many CHFs, like **SHA-2** and **SHA-3**, are **designed for speed**.
* However, **if a hashing function is too fast, attackers can quickly brute-force millions or even billions of passwords using modern hardware.**
* **For password security, we need a slow, adaptive hashing function that can be adjusted over time as hardware improves.**
* **`bcrypt` was designed for this purpose**. Its slow hashing process limits the number of guesses an attacker can make per second, making brute-force attacks much harder.

**In this lab exercise, we will explore how bcrypt hashes passwords by generating salts, examining its work factor, measuring hashing speeds for different values, and analyzing the trade-off between security and performance.**

## **Step 1: Install and Import**

* Install and import the `bcrypt` module.

In [None]:
!pip install bcrypt

In [None]:
import bcrypt

## **Step 2: Enter a Password**

* Input a password in the format: `<Last_Name>_<First_Name>_<Student_Number>`.
* **Remember to denote it as a binary string by prefixing with `b`.**

In [None]:
password = b'Rey_Pollux_25B1234'

In [None]:
# Print the password
print(f"Password in plaintext: {password}")

## **Step 3: Generate a Salt**

* A **salt** is an **additional data added during password hashing**.
* Although you can create a salt manually, it's recommended to use the `gensalt()` method for a **secure, pseudo-random salt.**
* bcrypt enforces security best practices by **requiring a salt in the hashing process**, protecting against [rainbow table attacks](https://capec.mitre.org/data/definitions/55.html).

In [None]:
salt = bcrypt.gensalt()

In [None]:
# Print the generated salt
print(f"Generated salt: {salt}")

## **Step 4: Hash Your Password**

* Combine your password with the generated salt and hash them together.

In [None]:
hash = bcrypt.hashpw(password, salt)

In [None]:
# Print the hash
print(f"Hash: {hash}")

## **Step 5: Verify the Password**

* Check that your **original password matches the hashed version.**

In [None]:
# Enter your password
entered_password = b'Rey_Pollux_25B1234'

In [None]:
# Enter the generated hash
hash = b'$2b$12$4cNZmETD1i/V41To/DITXebtqPzQbFLJ9l9nzy40Py28WchYpbrle'

In [None]:
bcrypt.checkpw(entered_password, hash)

## **Step 6: Test with a Wrong Password**

* Try an incorrect password to ensure the verification returns `False`.

In [None]:
# Enter your password
entered_password = b'Rey_Pollux_25B0000'

In [None]:
# Enter the generated hash
hash = b'$2b$12$4cNZmETD1i/V41To/DITXebtqPzQbFLJ9l9nzy40Py28WchYpbrle'

In [None]:
bcrypt.checkpw(entered_password, hash)

## Step 7: Testing with Different Cost Factors

* The **work factor** in `bcrypt` determines the **number of iterations (2^n) for salt generation, affecting the hash computation time.**
* It should be **set as high as possible without slowing user experience or requiring costly hardware upgrades.**
* The default work factor (rounds) in `bcrypt.gensalt` is **12**, meaning bcrypt performs 2^12 (4096) iterations to geneate a salt.

To analyze performance, we will test the hashing speed for work factors ranging from **10 to 20**. This will help assess the **trade-off between security and efficiency**, as higher work factors enhance security but increase processing time.

In [None]:
# Input a password in the format: `<Last_Name>_<First_Name>_<Student_Number>`.
password = b"Rey_Pollux_251234"

In [None]:
import time

# Test different cost values (higher cost means more computation)
work_factors = [10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20]

for cost in work_factors:
    salt = bcrypt.gensalt(rounds=cost)  # Generate salt with given cost factor
    start_time = time.time()  # Start timer
    hash = bcrypt.hashpw(password, salt)  # Hash password
    end_time = time.time()  # End timer
    time_taken = end_time - start_time  # Calculate duration
    print(f"Cost: {cost}, Time Taken: {time_taken:.4f} seconds")

* You should observe that the higher the work factor, the slower the hashing process.
* As a general rule, calculating a hash should take **less than one second**.

Let us hash a password with a work factor of 20 and see how long it takes to verify it.

In [None]:
# Input a password in the format: `<Last_Name>_<First_Name>_<Student_Number>`.
password = b'Rey_Pollux_25B1234'

In [None]:
import time

salt = bcrypt.gensalt(rounds=20)  # Generate salt with work factor of 20
start_time = time.time()  # Start timer
print("Hashing password...")
hash = bcrypt.hashpw(password, salt)  # Hash password
end_time = time.time()  # End timer
time_taken = end_time - start_time  # Calculate duration
print(f"Hashing Time: {time_taken:.4f} seconds")

In [None]:
start_time = time.time()  # Start timer
print("Verifying password...")
bcrypt.checkpw(password, hash)
end_time = time.time()  # End timer
time_taken = end_time - start_time  # Calculate duration
print(f"Verification Time: {time_taken:.4f} seconds")

* You should observe that the password verification process **took a significant amount of time**.
* The `bcrypt` work factor used here is **IMPRACTICAL** for storing passwords and verifying them during website login.

## **Step 8: Answer the Questions**

1. In **Step 4**, what hash was generated?

> *Answer the question by editing this text cell.*

Compare your generated hash with the information on [this website](https://en.wikipedia.org/wiki/Bcrypt) to analyze its components. Then, answer questions 2 to 4.

2. What does **`$2b$`** represent in the generated hash?

> *Answer the question by editing this text cell.*

3. What does **`12`** represent in the generated hash?

> *Answer the question by editing this text cell.*

4. What is the **base-64 encoding of the input salt** from your generated hash?

> *Answer the question by editing this text cell.*

5. What is the **base-64 encoding of the first 23 bytes of the computed 24-byte hash**?

> *Answer the question by editing this text cell.*

6. bcrypt enforces security best practices by requiring a salt in the hashing process, protecting against **rainbow table attacks**. According to the information on [this website](https://capec.mitre.org/data/definitions/55.html), what is a rainbow table attack? **Copy the exact definition from the site.**

> *Answer the question by editing this text cell.*