Hashing Passwords in Python with BCrypt


Password hashing is a technique used to store passwords securely. It involves converting plain text passwords into a hashed format that cannot be easily reversed or decrypted. By hashing passwords, even if a hacker gains access to the password database, they will not be able to decipher the passwords.

BCrypt is a password hashing algorithm that is considered one of the most secure algorithms for password hashing in Python. BCrypt is designed to be slow, which makes it more difficult for hackers to crack the hashed passwords. In this post, we will explain the syntax, code algorithm, and Python code examples for hashing passwords with BCrypt in Python.

Syntax

Import the required packages and libraries needed to hash passwords with BCrypt in Python. First, do “pip install bcrypt”

import bcrypt
hashed_password = bcrypt.hashpw(password, salt)

Here, password is the user-submitted string and salt is a random text appended to the password to store it even more securely. The hashpw is the most important function that actually encrypts the password. This will be used to decrypt it later down the line to authenticate the parties.

Some other popular methods available are −

hashpw(password, salt)

Syntax

bcrypt.hashpw(password, salt)

This method hashes the password using the salt provided. It returns a hashed password that can be stored in a database.

Parameters

  • password − The password to be hashed as a byte string.

  • salt − The salt to be used in the hashing process. This should also be a byte string.

gensalt(rounds=12)

Syntax

bcrypt.gensalt(rounds=12)

This method generates a random salt that can be used in the password hashing process. It returns the salt as a byte string.

Parameters

  • rounds − The number of rounds to use in the hashing process. Security of the hash is directly correlated to the number of rounds. The default value is 12, and it is recommended to use a value between 10 and 15.

checkpw(password, hashed_password)

Syntax

bcrypt.checkpw(password, hashed_password)

This method checks if the plain text password matches the hashed password. It returns a Boolean value.

Parameters

  • password − The plain text password to be checked.

  • hashed_password  The hashed password to be compared against.

kdf(password, salt, desired_key_bytes, rounds, hash_function)

Syntax

bcrypt.kdf(password, salt, desired_key_bytes, rounds, hash_function)

This method generates a key derivation function (KDF) that can be used to derive a cryptographic key from a password and salt.

Parameters

  • password − The password to be used in the KDF.

  • salt − The salt to be used in the KDF.

  • desired_key_bytes − The number of bytes of the derived key.

  • rounds − The number of rounds to use in the KDF.

  • hash_function − The hash function to use in the KDF. The default is SHA-512.

Algorithm

  • Generate a random salt (a string of characters) using BCrypt's built-in function.

  • Combine the plain text password with the salt.

  • Hash the combination of the plain text password and the salt using BCrypt's hashpw() function

  • Store the hashed password in the password database.

The importance of adding salt to the hashed password cannot be overstated. Adding salt makes it more difficult for hackers to crack the hashed password. Salt is a random string of characters that is unique for each user, making it impossible for hackers to use precomputed tables to crack the hashed password.

Example

import bcrypt
password = b"password123"
salt = bcrypt.gensalt(rounds=15)
hashed_password = bcrypt.hashpw(password, salt)
print(hashed_password)

Output

b'$2b$15$4bBaa1VTwVvZlEolrZD/ZOX9.83EZn30JbDZnLgQVgW8fKyQNmzZi'

Explanation

  • Define the plain text password as "password123".

  • Use BCrypt's built-in gensalt() function to generate a random salt. We specify the number of rounds as 15.

  • Combine the plain text password and the salt.

  • Apply BCrypt's hashpw() function to hash the combination of the plain text password and the salt.

  • Store the hashed password in the variable hashed_password.

import bcrypt
password = b"password123"
salt = bcrypt.gensalt(rounds=15)
hashed_password = bcrypt.hashpw(password, salt)
if bcrypt.checkpw(password, hashed_password):
   print("Password is correct")
else:
   print("Password is incorrect")

Output

Password is correct
  • Import the bcrypt library using the import statement.

  • Define the plain text password as "password123".

  • Use BCrypt's built-in gensalt() function to generate a random salt. We specify the number of rounds as 15.

  • 4. Combine the plain text password and the salt.

  • Apply BCrypt's hashpw() function to hash the combination of the plain text password and the salt.

  • Store the hashed password in the variable hashed_password.

  • Use BCrypt's checkpw() function to compare the plain text password with the hashed password.

  • If the plain text password matches the hashed password, print "Password is correct". Otherwise, we print "Password is incorrect".

Application

Password hashing is an essential element that you should take into consideration if you want to make sure that your application stores passwords securely. It's widely used by applications including online banking, e-commerce websites, and social networking sites to protect user passwords. BCrypt is one of the most popular and safe methods for hashing passwords in Python, and it comes highly recommended when it comes to hashing passwords.

Conclusion

You now know how to use BCrypt to hash passwords in Python after reading this tutorial. We supplied Python code samples and detailed the syntax and method for using BCrypt to hash passwords. We also emphasized how crucial it is to strengthen the security of the hashed password by adding salt. Some applications that need password hashing employ the extremely secure password hashing method BCrypt. So, adopting BCrypt is advised if you wish to increase the security of your application by hashing passwords

Updated on: 18-Apr-2023

5K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements