1

I'd like a method of hashing an email (just the address) using a unique key. So the flow would be the next one:

  • I receive an email address.
  • I am using that key (along with a hashing algorithm) to hash the email, and then I store that hash in the DB
  • If the same email will try to sign in, the same hash method will be applied but it will match the existing one in the database. If it's a new email, store again the hash in DB and so on.

Now, I know about hashlib and its basic implementation:

import hashlib

email = '[email protected]'
key = '1234'
hash_object = hashlib.sha256(email)
print(key + hash_object.hexdigest())

Now, I don't know how secure is this implementation as it's always adding key in front of my hash.

My wish is to have a unique key (which will be stored somewhere), and always hash an email using it. More, I don't want to ever decode that hash. I'm just interested in encoding it.

Any ideas ?

Improve this question
6
  • So you want add salt to the hash? Commented Sep 16, 2015 at 5:12
  • If that salt can be used with a unique key, then yes. Commented Sep 16, 2015 at 5:14
  • I think that you're doing right, but don't use a key like that. Commented Sep 16, 2015 at 5:16
  • no collision has (yet) been found for sha256. your approach should work. the addition of a salt is usually used for passwords (when you want the same password to result in a different digest). i would not use it in your case. but why not just use a unique incrementing primary key? Commented Sep 16, 2015 at 5:17
  • Whatever key I would use, someone can figure out that for all the emails the first x chars are the same, so the key is already compromised Commented Sep 16, 2015 at 5:17

1 Answer 1

Reset to default
3

Adding a key in front of your hash does nothing. It won't improve security since you're hashing plain password (with no salt) so it'd be very easy to brute force.

What you want is to add a random salt. Then you can do the following

import random, hashlib
from string import ascii_letters

salt= ''.join(random.shuffle(ascii_letters))
hash=hashlib.sha512(salt+':'+password).hexdigest()

Of course, your goal is to add a random combination of letters in front or in the end of the password, so you can generate it in any other way, not necessarily to shuffle the whole alphabet.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The questioner is on python 3, so please use from string import ascii_letters instead from string import letters.
@ForceBru it would be easy to find the salt if it would just be: salt='somestring' not a random combination of letters ?
@Alexander, that depends on the length and complexity of your salt. To my mind, it's more secure to use random salts instead of 'static' ones.
@ForceBru please replace salt= ''.join(random.shuffle(letters)) to salt= ''.join(random.shuffle(ascii_letters)).
Thanks, I'll mark this as accepted as this is what I wanted. Anyway, as hiro said no collision has (yet) been found for sha256 so adding a static key won't bother me.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.