Analysing password security with Python

Password Security Tool: A Security Engineer’s Deep Dive into Cryptographic Attacks

How I built a tool that demonstrates why strong passwords matter - by breaking weak ones

---

The Mission

In the world of cybersecurity, passwords are often the weakest link in the security chain. As a security engineer, I’ve seen countless breaches that started with a simple password compromise. But what fascinates me most isn’t just the attacks - it’s understanding why they work and how to prevent them.

Enter my Password Security Tool: a Python application that validates password strength, demonstrates cryptographic hashing, implements salting techniques, and simulates real-world password attacks. This project represents my passion for cryptographic security and attack simulation - essential skills for any security engineer who wants to understand both sides of the security equation.

---

Password Validation: The First Line of Defense

Multi-Layer Security Validation

def validate_password(password):
    # Check if the password has at least 8 characters
    if len(password) < 8:
        return False

    # Check if the password contains at least one uppercase letter
    if not re.search(r'[A-Z]', password):
        return False

    # Check if the password contains at least one lowercase letter
    if not re.search(r'[a-z]', password):
        return False

    # Check if the password contains at least one digit
    if not re.search(r'\d', password):
        return False

    # Check if the password contains at least one special character
    if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
        return False

    return True

Security Correlation: This implements defense in depth for password security. Each validation rule addresses a specific attack vector:

• Length requirement - Prevents brute force attacks
• Character diversity - Increases entropy and complexity
• Special characters - Thwarts dictionary attacks
• Mixed case - Expands the search space exponentially

As a security engineer, this is how I design input validation systems that prevent common attack patterns before they reach the authentication layer.

---

Cryptographic Hashing: Understanding the Foundation

SHA-256 Implementation

def create_hash(passwd):
    pass_bytes = passwd.encode('utf-8')
    pass_hash = sha256(pass_bytes)
    hashed_pass = pass_hash.hexdigest()
    return hashed_pass

Security Correlation: This demonstrates cryptographic hashing - a fundamental security concept. SHA-256 is a one-way function that converts passwords into fixed-length strings. As a security engineer, I use hashing to:

• Protect stored passwords - Even if the database is compromised, attackers can’t recover plaintext passwords
• Verify integrity - Ensure passwords haven’t been tampered with
• Comply with standards - Meet regulatory requirements for password storage

Salt Implementation

def salted_hash(salt, password):
    salt = salt.encode('utf-8')
    password = password.encode('utf-8')
    hashed_password = sha256(salt+password).hexdigest()
    return hashed_password

Security Correlation: This implements password salting - a critical defense against rainbow table attacks. By adding a random salt to each password before hashing, I ensure that:

• Same passwords hash differently - Prevents rainbow table attacks
• Attackers can’t precompute hashes - Forces them to attack each password individually
• Compromised hashes are harder to crack - Increases the computational cost of attacks

---

Attack Simulation: Understanding the Adversary

Dictionary Attack Implementation

def attack(dictionary_word, target_hash):
    pass_bytes = str(dictionary_word).encode('utf-8')
    pass_hash = sha256(pass_bytes)
    digest = pass_hash.hexdigest()
    if digest == target_hash:
        return True

Security Correlation: This simulates dictionary attacks - one of the most common password cracking techniques. As a security engineer, understanding attack methods is crucial because:

• You can’t defend against what you don’t understand - Attack simulation reveals vulnerabilities
• Realistic testing - Demonstrates the effectiveness of security controls
• Risk assessment - Helps quantify the impact of weak passwords
• Security awareness - Shows why strong passwords matter

Brute Force Simulation

# match all words from the dictionary until it matches/ends
for test_word in dictionary["passwords"]:
    if attack(test_word, salted_passwd):
        print('Salted Hash Matched for user', username, ': ', test_word)
        break

Security Correlation: This demonstrates brute force attacks against both salted and unsalted hashes. The comparison shows:

• Salted hashes are harder to crack - Even with the same password
• Dictionary attacks are still effective - Against weak passwords
• Time complexity matters - Salting increases attack time significantly

---

Security Engineering Principles Demonstrated

1. Defense in Depth

The tool implements multiple security layers:

• Input validation - Prevents weak passwords
• Cryptographic hashing - Protects stored passwords
• Password salting - Prevents rainbow table attacks
• Attack simulation - Validates security controls

2. Security by Design

# Create a salt of 8 characters
N = 8
salt = ''.join(random.choices(string.ascii_lowercase + string.digits, k=N))

Security Correlation: This implements cryptographic randomness - a crucial security principle. The salt generation uses:

• Cryptographically secure randomness - Prevents predictable salts
• Adequate entropy - 8 characters provide sufficient randomness
• Secure implementation - Uses Python’s secure random functions

3. Attack Surface Reduction

The tool demonstrates how each security measure reduces the attack surface:

• Strong passwords - Increase brute force time exponentially
• Hashing - Prevents plaintext password recovery
• Salting - Prevents rainbow table attacks
• Validation - Prevents common weak passwords

---

Technical Skills Demonstrated

Programming & Cryptography

• Python - Core development language
• Cryptographic Libraries - SHA-256 hashing implementation
• Regular Expressions - Pattern matching for password validation
• Data Processing - Pandas for dictionary attack simulation

Security Engineering Skills

• Cryptographic Security - Hashing and salting implementation
• Attack Simulation - Dictionary and brute force attacks
• Password Security - Multi-factor validation
• Security Testing - Vulnerability assessment
• Risk Analysis - Attack impact evaluation

Cybersecurity Knowledge

• Password Policies - Strength requirements and validation
• Cryptographic Attacks - Rainbow tables, dictionary attacks
• Security Controls - Defense mechanisms and their effectiveness
• Compliance - Password security standards

---

Why This Matters for Security Engineering

Building this password security tool reinforced several critical security principles:

1. Understanding Attacks is Essential - You can’t defend against what you don’t understand
2. Cryptography is Fundamental - Proper implementation prevents many attacks
3. User Education Matters - Tools like this demonstrate why strong passwords are necessary
4. Testing is Crucial - Attack simulation validates security controls
5. Layered Defense Works - Multiple security measures are more effective than single controls

---

Future Enhancements

This project has opened my eyes to the potential of advanced password security. I’m planning to add:

• Machine Learning Integration - Predict password strength patterns
• Advanced Attack Simulation - GPU-accelerated brute force attacks
• Password Breach Analysis - Check against known compromised passwords
• Multi-Factor Authentication - Demonstrate additional security layers
• Password Policy Testing - Validate organizational password requirements
• Real-Time Threat Detection - Monitor for password-based attacks

---

Security Lessons Learned

1. Cryptography is Not Magic

Understanding how cryptographic functions work is crucial for security engineers. This tool demonstrates that proper implementation makes the difference between security and vulnerability.

2. Attack Simulation is Educational

By simulating attacks, I’ve learned that many security controls that seem strong can be bypassed with the right tools and techniques.

3. User Behavior is the Weakest Link

Even with strong technical controls, weak passwords remain a major security risk. This tool helps demonstrate why password policies matter.

4. Security is a Process, Not a Product

Password security requires ongoing monitoring, testing, and improvement. This tool is just one step in a comprehensive security strategy.

---

Real-World Applications

This tool has practical applications in:

• Security Awareness Training - Demonstrate password risks
• Penetration Testing - Validate password security controls
• Security Auditing - Assess password policy effectiveness
• Incident Response - Analyze password-related breaches
• Compliance Testing - Verify password security standards

---

Final Thoughts

Building this password security tool taught me that password security is more than just complexity requirements. It’s about understanding the entire attack landscape and implementing appropriate defenses at each layer. The same analytical skills I use to investigate security incidents apply to building secure authentication systems.

The most valuable lesson? Security is about making attacks expensive. Every security measure in this tool - validation, hashing, salting - increases the cost and time required for successful attacks. As security threats become more sophisticated, tools like this become essential for understanding and defending against password-based attacks.

---

This project demonstrates that security engineering is about building tools that both protect systems and educate users about security risks. Whether you’re implementing authentication systems, conducting security assessments, or building security tools, the fundamental principles remain the same: understand the threats, implement appropriate controls, and continuously test your defenses.

GitHub: Project Repository
Skills: Python, Cryptography, Password Security, Attack Simulation, Security Testing

---

What security tools have you built that help you understand both the defensive and offensive aspects of cybersecurity? I’d love to hear your experiences!