Is it save to create a hash of user passwords with sha256_crypt.encrypt("secretUserPassword") and store it to a database without adding a slat to the hash?
If so, what protects the hashes against rainbow table attacks?
This is how I create a new user in my web application and store it to the database:
admin = User()
admin.name = 'admin'
admin.password = sha256_crypt.encrypt("secretAdminPassword")
db.persist_user(admin)
This is how I check the credentials and login the user
username = request.form['username']
password = request.form['password']
user = user_from_db(username)
if sha256_crypt.verify(password, user.password):
login_user(user)
The documentation states that the function sha256_crypt.encrypt("password") not only calculates a SHA-256 hash, it also...
Both points are essential to get a safe password hashing function. Using it without a self made salt is preferred, because there are several pitfalls in creating a cryptographically safe salt, so best leave it to the library.