In [1]:
import hashlib
import requests

In [2]:
password = '12345Qwert'
salt = 'dotnet2023'

# MD5 Hashes (Vulnerable)

In [3]:
def get_md5_hash(text: str) -> str:
    md5_hash = hashlib.md5()
    md5_hash.update(text.encode('utf-8'))
    hash_result = md5_hash.hexdigest()

    return hash_result

def get_md5_salted_hash(text: str, salt: str) -> str:
    salted_text = salt + text

    return get_md5_hash(salted_text)



In [4]:
hash = get_md5_hash(password)
salted_hash = get_md5_salted_hash(password, salt)

print(f'The md5 hash is: {hash}')
print(f'The salted md5 hash is: {salted_hash}')

The md5 hash is: 18a49c364ba10330d894b11652e65bc2
The salted md5 hash is: 66e99cc5306f5fc13d5ae882119affc6


# SHA 256 Hashes

In [5]:
def get_sha256_hash(text: str) -> str:
    return hashlib.sha256(text.encode()).hexdigest()

def get_sha256_salted_hash(text: str, salt: str) -> str:
    salted_text = salt + text
    return get_sha256_hash(salted_text)

In [6]:
hash = get_sha256_hash(password)
salted_hash = get_sha256_salted_hash(password, salt)

print(f'The sha256 hash is: {hash}')
print(f'The salted sha256 hash is: {salted_hash}')

The sha256 hash is: c90142696762be2f4632c18382315ab39e20a41e997cd8a41502aeafcfae49fe
The salted sha256 hash is: 4c08e5ccb92fcb5ef84ebac9636a099121a1609a564d8cf91e87509cc123f64e


# Check for filtered password using HIBP (Have I Been Pwned?)

In [None]:
password = '1234'

In [7]:
base_url = "https://api.pwnedpasswords.com/range"
# Process obtained from https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
# First we obtain the first 5 characters of the password encoded in SHA-1
sha1_hash = hashlib.sha1(password.encode()).hexdigest()
range = sha1_hash[:5].upper()

# We obtain all filtered passwords in that range and check for ours (with anonimity, there will be about 475 results, we are NOT giving away our password)
r = requests.get(f'{base_url}/{range}')
response_text = r.text
index = response_text.find(sha1_hash[5:].upper())

if index != -1:
  leaked_number = response_text[index:].split('\r\n')[0].split(':')[1]
  print(f'This password has been seen {leaked_number} times before...')
else:
  print('This password has not been leaked (yet...)')


This password has been seen 1954 times before...


# References
1. [Salt OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting)
1. [Pepper OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#peppering)
