Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week-3: Extra Hashing and Password Security Lab

Learning Objectives

By the end of this lab you will:

  • Understand the role of hashing in cybersecurity, particularly in password storage.
  • Differentiate between secure and insecure hashing algorithms.
  • Explore common attacks on hashed passwords, such as brute-force and rainbow table attacks.
  • Implement password hashing and salting techniques using Python.

Lab setup

Prerequisites

  • Python 3 installed
  • Python libraries: hashlib, bcrypt, argon2-cffi
  • Wordlist for password cracking (e.g. rockyou.txt)

Required tools

  • Kali Linux (optional, for demonstrating cracking tools)
  • Python environment (Jupyter Notebook or standard Python script)
  • Visual Studio Code (recommended for editing and running scripts)

Install required Python libraries

pip install bcrypt
pip install argon2-cffi

Opening Python in VS Code

  1. Install Visual Studio Code if not already installed. Download from the official site.
  2. Open VS Code and install the official Python extension by Microsoft from the Extensions view.
  3. Open or create a Python file and save it with a .py extension.
  4. Run Python code using the integrated terminal (View > Terminal) or the Run button in the editor.

Task 1: Understanding hash functions

Step 1: Generate hashes using Python

Create a file named task1_hash_functions.py with the following content:

# task1_hash_functions.py
import hashlib

def generate_hash(password):
    print("MD5:", hashlib.md5(password.encode()).hexdigest())
    print("SHA-1:", hashlib.sha1(password.encode()).hexdigest())
    print("SHA-256:", hashlib.sha256(password.encode()).hexdigest())
    print("SHA-512:", hashlib.sha512(password.encode()).hexdigest())

if __name__ == '__main__':
    password = input("Enter a password to hash: ")
    generate_hash(password)

Discussion questions

  • What differences do you notice in the hash lengths?
  • Why is MD5 considered insecure?

Task 2: Password salting and secure hashing

Step 1: Implement salting with bcrypt

Create task2_password_salting.py:

# task2_password_salting.py
import bcrypt

def hash_password(password):
    salt = bcrypt.gensalt()
    hashed = bcrypt.hashpw(password.encode(), salt)
    return hashed

if __name__ == '__main__':
    password = input("Enter a password: ")
    print("Hashed Password:", hash_password(password))

Discussion questions

  • Why is salting necessary?
  • How does bcrypt enhance password security compared to simple hashing?

Task 3: Cracking hashed passwords

Step 1: Simulate a brute-force attack

Create task3_brute_force.py:

# task3_brute_force.py
import itertools
import string
import hashlib

def brute_force_hash(target_hash):
    characters = string.ascii_lowercase
    for length in range(1, 6):
        for guess in itertools.product(characters, repeat=length):
            guess = ''.join(guess)
            guess_hash = hashlib.md5(guess.encode()).hexdigest()
            if guess_hash == target_hash:
                return guess
    return None

if __name__ == '__main__':
    target_hash = input("Enter an MD5 hash to crack: ").strip()
    password = brute_force_hash(target_hash)
    print("Cracked Password:" if password else "Password not found", password)

Discussion questions

  • How does password length affect the success of brute-force attacks?
  • What are the limitations of this approach?

Task 4: Implementing Argon2 for strong password hashing

Step 1: Hash passwords using Argon2

Create task4_argon2_hashing.py:

# task4_argon2_hashing.py
from argon2 import PasswordHasher

ph = PasswordHasher()

if __name__ == '__main__':
    password = input("Enter a password: ")
    hashed_password = ph.hash(password)
    print("Argon2 Hashed Password:", hashed_password)

    # Verify example
    user_password = input("Re-enter your password to verify: ")
    try:
        ok = ph.verify(hashed_password, user_password)
        print("Password Match" if ok else "Incorrect Password")
    except Exception:
        print("Incorrect Password")

Discussion questions

  • Why is Argon2 considered best practice for password hashing?
  • What parameters can be adjusted in Argon2 to enhance security (memory cost, time cost, parallelism)?

Conclusion

This lab provides hands-on experience with hashing techniques, demonstrates vulnerabilities of weak hashing algorithms, and introduces best practice methods using bcrypt and Argon2. Implementing these examples will help you understand how real-world applications secure user credentials.

Extra resources

  • Cryptography Labs: SEEDs Labs
  • OWASP Password Storage Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

---

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Wednesday 04 February 2026 @ 10:26:27 | Commit: c0a2218