Let's Auth

These are code snippets to help you make your code more secure.

Argon2id
Bcrypt

pip install argon2-cffi

from argon2 import PasswordHasher
from argon2.exceptions import VerifyMismatchError

def hash_password(password):
    ph = PasswordHasher()
    pw_hash = ph.hash(password)
    return pw_hash


def verify(pw_hash, password):
    ph = PasswordHasher()
    try:
        return ph.verify(pw_hash, password)
    except VerifyMismatchError:
        return False


def main():
    pw_hash = hash_password('s3cr3t')
    print(pw_hash)
    print(verify(pw_hash, 's3cr3t'))
    print(verify(pw_hash, 's3cr4t'))
    return None


if __name__ == '__main__':
    main()

pip install bcrypt

import bcrypt

def hash_password(password):
    # bcrypt.gensalt() takes an argument (in the form of eg (rounds=16))
    # which increases security, but also the cost factor
    pw_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
    return pw_hash


def verify(pw_hash, password):
    return bcrypt.checkpw(password.encode(), pw_hash)


def main():
    pw_hash = hash_password('s3cr3t')
    print(pw_hash)
    print(verify(pw_hash, 's3cr3t'))
    print(verify(pw_hash, 's3cr4t'))
    return None


if __name__ == '__main__':
    main()

Argon2id
Bcrypt

Plain Java
Spring Security

Maven
Gradle
Ivy

<dependency>
<groupId>de.mkammerer</groupId>
<artifactId>argon2-jvm</artifactId>
<version>2.6<version>
<dependency>

compile group: 'de.mkammerer', name: 'argon2-jvm', version: '2.6'

<dependency org="de.mkammerer" name="argon2-jvm" rev="2.6"/>

import de.mkammerer.argon2.Argon2;
import de.mkammerer.argon2.Argon2Factory;
import de.mkammerer.argon2.Argon2Factory.Argon2Types;
import de.mkammerer.argon2.Argon2Helper;

public static String hashPassword(String password) {
    Argon2 argon2 = Argon2Factory.create(Argon2Types.ARGON2id);		
    // figure out the optimal number of iterations for your system
    // 1000 = The hash call must take at most 1000 ms
    // 65536 = Memory cost
    // 4 = parallelism; decided by the amount of logical processors on your system 
	int iterations = Argon2Helper.findIterations(argon2, 1000, 65536, 4);		
	char[] passwordArray = password.toCharArray();		
	String hash = argon2.hash(iterations, 65536, 4, passwordArray);		
	argon2.wipeArray(passwordArray);		
	return hash;		
}

// Verify that password matches hash:
public static Boolean verifyPassword(String password, String hashed) {
    Argon2 argon2 = Argon2Factory.create(Argon2Types.ARGON2id);
    return argon2.verify(hashed, password);
}

Maven
Gradle
Ivy

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-crypto</artifactId>
    <version>5.2.2.RELEASE</version>
</dependency>

<dependency>
    <groupId>commons-logging</groupId>
    <artifactId>commons-logging</artifactId>
    <version>1.2</version>
</dependency>


<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15on</artifactId>
    <version>1.64</version>
</dependency>

compile group: 'org.springframework.security', name: 'spring-security-crypto', version: '5.2.2.RELEASE'
compile group: 'commons-logging', name: 'commons-logging', version: '1.2'
compile group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.64'

<dependency org="org.springframework.security" name="spring-security-crypto" rev="5.2.2.RELEASE"/>
<dependency org="commons-logging" name="commons-logging" rev="1.2"/>
<dependency org="org.bouncycastle" name="bcprov-jdk15on" rev="1.64"/>

import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;

public static String hashPassword(String password) {
    // Argon2PasswordEncoder(int saltLength, int hashLength, int parallelism, int memory, int iterations)
    // Spring Security uses default values that should be adjusted to your system
    Argon2PasswordEncoder encoder = new Argon2PasswordEncoder();
	return encoder.encode(password);
}

// Verify that password matches hash:
public static Boolean verifyPassword(String password, String hashed) {
    Argon2PasswordEncoder encoder = new Argon2PasswordEncoder();
    return encoder.matches(password, hashed);
}

Plain Java
Spring Security

Maven
Gradle
Ivy

<dependency>
    <groupId>org.mindrot</groupId>
    <artifactId>jbcrypt</artifactId>
    <version>0.4</version>
</dependency>

compile group: 'org.mindrot', name: 'jbcrypt', version: '0.4'

<dependency org="org.mindrot" name="jbcrypt" rev="0.4"/>

import org.mindrot.jbcrypt.*;

public static String hashPassword(String password) {
    return BCrypt.hashpw(password, BCrypt.gensalt());
}

// Verify that password matches hash:
public static Boolean verifyPassword(String password, String hashed) {
    return BCrypt.checkpw(password, hashed);
}

Maven
Gradle
Ivy

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-crypto</artifactId>
    <version>5.2.2.RELEASE</version>
</dependency>

<dependency>
    <groupId>commons-logging</groupId>
    <artifactId>commons-logging</artifactId>
    <version>1.2</version>
</dependency>


<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15on</artifactId>
    <version>1.64</version>
</dependency>

compile group: 'org.springframework.security', name: 'spring-security-crypto', version: '5.2.2.RELEASE'
compile group: 'commons-logging', name: 'commons-logging', version: '1.2'
compile group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.64'

<dependency org="org.springframework.security" name="spring-security-crypto" rev="5.2.2.RELEASE"/>
<dependency org="commons-logging" name="commons-logging" rev="1.2"/>
<dependency org="org.bouncycastle" name="bcprov-jdk15on" rev="1.64"/>

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

public static String hashPassword(String password) {
    BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
	return (encoder.encode(password);
}

// Verify that password matches hash:
public static Boolean verifyPassword(String password, String hashed) {
    BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
    return(encoder.matches(password, hashed));
}

To customize this code to your needed specifications, click this button!

Customize

Password policy compliant with:

Password length:

Strength Checker

Yes

No

Using the Strength Checker allows you to restrict the use of common weak passwords, and warn the user of patterns that would weaken a chosen password.

Composition requirements

Yes

No

This allows you to restrict the use of passwords that do not meet certain requirements in their composition (eg passwords must contain special characters). While it is a common practice, neither OWASP nor NIST currently recommend enforcing it.

js
html

function composition() {
    var password = document.getElementById('password');
    //at least one number
    var number = /(?=.*\d)/;
    //at least one lowercase and one uppercase letter
    var upper_lower = /(?=.*[a-z])(?=.*[A-Z])/;
    // at least one special character
    var special = /[^A-Za-z0-9]/;
    return number.test(password.value) && upper_lower.test(password.value) && special.test(password.value);
}

function length() {
    var password = document.getElementById('password');
    // at least eight, at most 64 characters
    var length = /^.{8,64}$/;
    return length.test(password.value);
}

var login = document.getElementById('login-button');
var validated = document.getElementById('login-validation');

login.addEventListener('click', function() {

    console.log(composition());
    console.log(length());

    var validate = composition() && length();

    if(validate !== true) {
        validated.innerHTML = "Password is not valid!" + "<br>" + "Must be between 8 and 64 characters, contain at least one upper- and one lowercase letter, a number and a special character."; 
    }
    else {
        validated.innerHTML = "Password is valid!";
    }
});

var meter = document.getElementById('password-strength-meter');
var text = document.getElementById('password-strength-text');
                                                
var strength = {
    0: "Worst",
    1: "Bad",
    2: "Weak",
    3: "Good",
    4: "Strong"
}

password.addEventListener('input', function()
{
var val = password.value;
var result = zxcvbn(val);

// Update the password strength meter
meter.value = result.score;

// Update the text indicator
if(val !== "") {
    text.innerHTML = "Strength: " + "<strong>" + strength[result.score] + "</strong>" + "<br>" + "<span class='feedback'>" + result.feedback.warning + "<br>" + result.feedback.suggestions + "</span>"; 
}
else {
    text.innerHTML = "";
}
});

<!DOCTYPE html>
<html>
<body>

    <div class="container">
        <div class="row">
            <div class="col m6">
                <h2 class="center-align">Login</h2>
                <div class="row">
                    <form class="col s12">
                        <div class="row">
                            <div class="input-field col s12">
                                <input id="email" type="email" class="validate">
                                <label for="email">Email</label>
                            </div>
                        </div>
                        <div class="row">
                            <div class="input-field col s12">
                                <input id="password" type="password" class="validate">
                                <label for="password">Password</label>
                                <meter max="4" id="password-strength-meter"></meter>
                                <p id="password-strength-text"></p>
                            </div>
                        </div>
                        <div class="divider"></div>
                        <div class="row">
                            <div class="col m12">
                                <p class="right-align">
                                    <button id="login-button" class="btn btn-large waves-effect waves-light" type="button" name="action">Login</button>
                                    <p id="login-validation"></p>
                                </p>
                            </div>
                        </div>
                    </form>
                </div>
            </div>
        </div>
    </div>

    <script src="https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.2.0/zxcvbn.js"></script>
    <script type="text/javascript" src="js/scripts.js"></script>
</body>
</html>

pip install pyotp

#!/usr/bin/env python3

import pyotp


def generate_second_factor(shared_secret):

    return pyotp.TOTP(shared_secret)


def generate_uri(second_factor, user_mail):

    return second_factor.provisioning_uri(user_mail, issuer_name="Your Secure App")


def main():

    shared_secret = pyotp.random_base32()
    # The shared secret has to be stored alongside the other infos on the user to verify them in the future.
    second_factor = generate_second_factor(shared_secret)
    print(second_factor.verify(second_factor.now()))

    user_mail = "alice@google.com"
    provisioning_uri = generate_uri(second_factor, user_mail)
    # The provisioning uri can be used to generate a QR-code, 
    # which the user can scan using apps like the Google Authenticator
    print(provisioning_uri)
    
    # It might be advisable to have the user verify their account once immediately after 
    # setting up the second factor, to avoid locking them out at a later date


if __name__ == '__main__':
    main()

If you would like any further information regarding these topics, please refer to this section.

Code Snippets

Storage

Policy

Two Factor Authentication

Further Information