Password Hashing¶
Password Hashing is done via the Argon2i PDKF.
PDKFs can be used for password checking, or key derivation (e.g. implementing
encryption with a password).
The output is suitable for use as the key for the SecretBox
.
- monocypher.pwhash.argon2i(password, salt, hash_size=64, nb_blocks=100000, nb_iterations=3, key=b'', ad=b'')¶
Computes the raw Argon2i (with a parallelism value = 1) hash, given the password and salt.
If you want to use the output for password verification, it is recommended to set the hash_size to 32 or 64 so that you can use the
monocypher.utils.crypto_verify32()
ormonocypher.utils.crypto_verify64()
functions.- Parameters:
password – Password (bytes-like object).
salt – Salt (bytes-like object), at least 8 bytes.
nb_blocks – Memory cost in KiB; >= 8. (
int
)nb_iterations – Time cost; >= 1. (
int
)hash_size – Length of hash in bytes, >= 4. (
int
)key – Optional key (bytes-like object).
ad – Optional additional data (bytes-like object)
- Return type:
Note
Internally this is the same function as crypto_argon2i()
Key Derivation¶
from monocypher.pwhash import argon2i
from monocypher.secret import SecretBox
key = argon2i(b'hunter2', b'super-secret-salt', hash_size=32)
box = SecretBox(key)
box.encrypt(b'doesnt look like stars to me')
Password Verification¶
Note
You should consider using another library like argon2-cffi for verification in most serious use cases (e.g. when making web applications), since it can produce and verify hashes in the Argon2 PHC format.
from monocypher.pwhash import argon2i
from monocypher.utils import crypto_verify32
salt = b'super-secret-salt'
def hash_password(password):
return argon2i(password, b'super-secret-salt', hash_size=32)
# store somewhere
digest = hash_password(b'hunter2')
# verification
password = input().encode('utf-8')
if not crypto_verify32(hash_password(password), digest):
reject_user()