{ "cells": [ { "cell_type": "markdown", "id": "funded-sheep", "metadata": {}, "source": [ "# Password Hashing\n", "\n", "Secret keys used to encrypt or sign confidential data have to be chosen from a very large keyspace.\n", "\n", "However, passwords are usually short, human-generated strings, making dictionary attacks practical.\n", "\n", "Password hashing functions derive a secret key of any size from a password and salt.\n", "\n", " - The generated key has the size defined by the application, no matter what the password length is.\n", " - The same password hashed with the same parameters will always produce the same output.\n", " - The same password hashed with different salts will produce different outputs.\n", " - The function deriving a key from a password and salt is CPU intensive and intentionally requires a fair amount of memory. Therefore, it mitigates brute-force attacks by requiring a significant effort to verify each password.\n", " \n", "Common use cases:\n", "\n", " - Password storage, or rather storing what it takes to verify a password without having to store the actual password.\n", " - Deriving a secret key from a password; for example, for disk encryption.\n", " \n", "Sodium's high-level crypto_pwhash_* API currently leverages the Argon2id function on all platforms. This can change at any point in time, but it is guaranteed that a given version of libsodium can verify all hashes produced by all previous versions from any platform. Applications don't have to worry about backward compatibility." ] } ], "metadata": { "kernelspec": { "display_name": "Python 3 (ipykernel)", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.9.2" } }, "nbformat": 4, "nbformat_minor": 5 }