█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Identity and Access Management/Passwords and Authentication
45 minBeginner

Passwords and Authentication

After this lesson, you will be able to: Explain how passwords are stored securely and hash a password yourself with Python and bcrypt.

Passwords are still the gateway to almost every account on the internet. Storing them safely, and recovering them safely when users forget, is harder than it looks. This lesson covers the math, the mistakes, and a hands-on hashing exercise.

Prerequisites:What is IAM?

Plaintext is poison

Storing passwords in plaintext means a single database breach exposes every user's credential. Worse, most users reuse passwords, so a leak from one site breaks logins on dozens of others. Plaintext storage has been industry malpractice since the 1970s, yet breaches still find it in production.

Hashing, the one-way function

A hash function (bcrypt, argon2, scrypt) turns a password into a fixed-length string in a way that can't be reversed. When a user logs in, you hash the input and compare hashes, the original password never sits in your database. Modern algorithms also add a unique salt per password and deliberately slow themselves down to resist brute-force.

p@ssw0rd + salt
random per-user salt
→
bcrypt
slow one-way hash
→
$2b$12$...
stored hash
One-way by design. You can verify a password against the hash, but you can never reverse the hash back to the password.

Hashing with Python and bcrypt

Install bcrypt with pip, then hash a password and verify it.

python
import bcrypt
password = b"SuperSecret123"
hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12))
print(hashed) # $2b$12$... (always different, that's the salt)
# Later, when the user logs in:
attempt = b"SuperSecret123"
if bcrypt.checkpw(attempt, hashed):
print("Welcome back!")
else:
print("Wrong password.")

💡 Common mistakes still seen in production

Storing MD5 or SHA-1 hashes (too fast, crackable in seconds with a GPU). Storing the same hash for the same password (no salt, enables rainbow tables). Implementing your own hash (always wrong, use a vetted library).

Beyond passwords

Modern systems are moving toward passkeys (WebAuthn), cryptographic keypairs stored on your device. There's no shared secret to leak; the server only ever sees a public key. Apple, Google, and Microsoft all support passkeys today, and they're rapidly displacing passwords for high-value accounts.

Quick Check

Why is bcrypt safer than SHA-256 for passwords?

Choose the best answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←What is IAM?
Back to Identity and Access Management
Multi-Factor Authentication→