In this article, we will see how to hash passwords in Python with BCrypt. Storing passwords in plain text is a bad practice as it is vulnerable to various hacking attempts. That’s why it is recommended to keep them in a hashed form.
What is hashing?
It’s a process of converting one string to another using a hash function. There are various types of hash functions but there are some basic similarities that are satisfied by all of them is that hashing is an irreversible process. i.e. conversion should be only one way, the length of hash should be fixed, and an input string should uniquely correspond with a hash so that we can compare them later, this makes it ideal for passwords and authentication.
Hash a Password in Python Using Bcrypt
Bcrypt is a password hashing function designed by Nelis Provos and David Mazières. Bcrypt uses strong cryptography to hash and salts password based on the Blowfish cipher. To make encryption stronger we can increase the “cost factor” so it can be increased as computers become faster. It is also intended to be slow, to make the brute force attacks slower and harder.
To install Bcrypt use the command –
pip install bcrypt
The functions in Bcrypt used –
- bcrypt.gensalt() – It is used to generate salt. Salt is a pseudorandom string that is added to the password. Since hashing always gives the same output for the same input so if someone has access to the database, hashing can be defeated. for that salt is added at end of the password before hashing. It doesn’t need any arguments and returns a pseudorandom string.
- bcrypt.hashpw() – It is used to create the final hash which is stored in a database.
- Arguments – We can pass Salt and Password in form of bytecode.
- Return value – If hashing is successful, it returns a hash string.
Hashing passwords
To use bcrypt, you’ll need to import bcrypt module, After that the bcrypt.hashpw() function takes 2 arguments: A string (bytes) and Salt. Salt is random data used in the hashing function. Let’s hash a password and print it in the following examples.
Example 1:
Python3
import bcrypt # example passwordpassword = 'password123' # converting password to array of bytesbytes = password.encode('utf-8') # generating the saltsalt = bcrypt.gensalt() # Hashing the passwordhash = bcrypt.hashpw(bytes, salt) print(hash) |
Output:
Example 2:
Now let’s just change the input password a little bit to see the behavior of hashing.
Python3
import bcrypt # example passwordpassword = 'passwordabc' # converting password to array of bytesbytes = password.encode('utf-8') # generating the saltsalt = bcrypt.gensalt() # Hashing the passwordhash = bcrypt.hashpw(bytes, salt) print(hash) |
Output:
Checking passwords
The following example checks a password against a hashed value.
Example 1:
Here we will check whether the user has entered the correct password or not, for that we can use bcrypt.checkpw(password, hash). At first, let’s assume the user entered the wrong password.
Python3
import bcrypt # example passwordpassword = 'passwordabc' # converting password to array of bytesbytes = password.encode('utf-8') # generating the saltsalt = bcrypt.gensalt() # Hashing the passwordhash = bcrypt.hashpw(bytes, salt) # Taking user entered password userPassword = 'password000' # encoding user passworduserBytes = userPassword.encode('utf-8') # checking passwordresult = bcrypt.checkpw(userBytes, hash) print(result) |
Output:
Example 2:
Now let’s see what happens when passwords are matched:
Python3
import bcrypt # example passwordpassword = 'passwordabc' # converting password to array of bytesbytes = password.encode('utf-8') # generating the saltsalt = bcrypt.gensalt() # Hashing the passwordhash = bcrypt.hashpw(bytes, salt) # Taking user entered password userPassword = 'passwordabc' # encoding user passworduserBytes = userPassword.encode('utf-8') # checking passwordresult = bcrypt.checkpw(userBytes, hash) print(result) |
Output:
