I am building a Flask-based RESTful API in Python, and I need to securely store and encrypt user passwords for authentication. Currently, I am using a simple hashing algorithm to hash passwords with a salt, but I'm not sure if this is secure enough.
Here is an example of my current implementation for password hashing:
import hashlib
password = 'password123'
salt = 'somesalt'
hashed_password = hashlib.sha256((password + salt).encode('utf-8')).hexdigest()
print(hashed_password)
Can anyone suggest a more secure way to store and encrypt passwords for user authentication in a Flask-based API? Specifically, I would like to know which password hashing algorithm to use and how to use it in a Flask application. Any advice or suggestions would be greatly appreciated.
sha256 is good enough, but you're using the "salt" as a pepper
the difference is, you'll be using this salt for every password - the value will be 'somesalt' every time. This is actually called a pepper.
If you want to use a salt correctly, you have to randomize it for every password, and then save it into your database along with the password. (then retrieve it, and re-add it when checking the password's hash)
Ideally, you should be using both salt and pepper. The pepper, which is never saved into the database and cannot be figured out if someone just has your database values, and the salt, which makes sure every password's hash is different from every other password's hash, even if the passwords are the same. You should also not put the pepper as clear text into your codebase either.
Using salt and pepper somewhat works like a 2-factor system. The attacker needs to have the pepper and the whole database to have a realistic chance of figuring out the hashes, and they are kept on separate systems)
I would say that
cleartext = very bad
hashed = not good enough
hashed + peppered or salted = mediocre / ok
hashed + peppered + salted = standard