Movatterモバイル変換


[0]ホーム

URL:


Skip to content
DEV Community
Log in Create account

DEV Community

Cover image for Hashing User Passwords Using bcrypt in Python
Sachin
Sachin

Posted on • Originally published atgeekpython.in

     

Hashing User Passwords Using bcrypt in Python

Web-based services and websites store hashed versions of your passwords, which means your actual password isn't visible or stored in their database instead a string of fixed-length characters is stored.

Hashing is a security technique used to secure your passwords or texts stored in databases. A hash function is used to generate a string of unique fixed-length characters from the provided password by the user.

Let's see how the hashing is done. In this article, you'll use thebcrypt library to hash the user's password and then compare that hashed password to the actual password in Python. You'll also learn more about the bcrypt library.

Installing bcrypt

Open your terminal window and run the following command to install thebcrypt library usingpip.

pipinstallbcrypt
Enter fullscreen modeExit fullscreen mode

Now that thebcrypt is installed in your system, the next step is to use it for hashing the user's password.

Hash Password using bcrypt

In this section, you'll see the functions provided by thebcrypt library that will help you generatesalt andhash values.

importbcrypt# Password to Hashmy_password=b'Sachinfromgeekpython'# Generating Saltsalt=bcrypt.gensalt()# Hashing Passwordhash_password=bcrypt.hashpw(password=my_password,salt=salt)print(f"Actual Password:{my_password.decode('utf-8')}")# Print Hashed Passwordprint(f"Hashed Password:{hash_password.decode('utf-8')}")
Enter fullscreen modeExit fullscreen mode

The above code imports thebcrypt library for hashing the password. A test password is provided in bytes and is stored inside themy_password variable.

The code uses thegensalt() function from thebcrypt library to generate the salt, a string of characters to enhance security.

The salt is a random and unique string of characters combined with the password before hashing to provide additional security, it will always be unique, if two users have the same password, their hashed passwords will be different.

Then the actual password (my_password) and salt (salt) are passed to thehashpw() function from thebcrypt library to produce the hash value of the actual password.

Finally, the actual and hashed passwords are decoded and printed.

Actual Password: SachinfromgeekpythonHashed Password:$2b$12$RF6JLXecIE4qujuPgTwkC.GN2BsOmGf8Ji10LyquoBaHkHWUWgiAm
Enter fullscreen modeExit fullscreen mode

Check Password using bcrypt

Now that you've hashed the password, the next step is to verify the actual password's hash value against the user-provided password.

importbcrypt# Password to Hashmy_password=b'Sachinfromgeekpython'# Generating Saltsalt=bcrypt.gensalt()# Hashing Passwordhash_password=bcrypt.hashpw(password=my_password,salt=salt)# User-provided Passworduser_password=b'Sachinfromgeekpython'# Checking Passwordcheck=bcrypt.checkpw(password=user_password,hashed_password=hash_password)# This will print True or Falseprint(check)# Verifying the Passwordifcheck:print("Welcome to GeekPython.")else:print("Invalid Credential.")
Enter fullscreen modeExit fullscreen mode

The above code uses thecheckpw() function from thebcrypt library to check the user-provided password against the hashed password. The hashed password (hash_password) and user-provided password (user_password) are passed inside the function and the result is stored inside thecheck variable.

Then the code prints thecheck variable to obtain the result. In the end, anif-else statement is used to verify the password.

TrueWelcome to GeekPython.
Enter fullscreen modeExit fullscreen mode

True in the output above indicates that the hashed password matches the user-provided password, making the first condition true.

Hash Password Using KDF (Key Derivation Function)

KDF (Key Derivation Function) is used to add additional security in password hashing. KDFs are used to derive keys from passwords for authentication purposes while including salt and the number of rounds.

importbcryptpassword=b'Sachinfromgeekpython'salt=bcrypt.gensalt()# Using KDF from bcrypt Libkey=bcrypt.kdf(password=password,salt=salt,desired_key_bytes=32,rounds=200)# Print Generated Keyprint(f"Key:{key}")
Enter fullscreen modeExit fullscreen mode

The above code uses thekdf() function from thebcrypt library to derive a key from the password. The function is passed with four parameters:

  • password: This parameter is set to thepassword variable which contains a byte string.

  • salt: This parameter is set to thesalt variable that contains a unique and fixed-length salt.

  • desired_key_bytes: This parameter is set to32 which is the desired length of the derived key we want. You can set it to your own desired length.

  • rounds: This parameter is set to200 which is the number of iterations to make the derivation of the key more computationally intense to increase security. The higher the rounds more the security but the more it uses resources and time.

Finally, the result stored in thekey variable is printed.

Key: b'\xc4#VW\x9a\x16\xdbG?\x11\xa9\xf7\xbd\x88"7+zxo\xfe@\xce\xab\x89\xc3g\x1c\xec~\xbe\xf7'
Enter fullscreen modeExit fullscreen mode

Verifying the Password with KDF

importbcryptpassword=b'Sachinfromgeekpython'salt=bcrypt.gensalt()# Using KDF from bcrypt Libkey=bcrypt.kdf(password=password,salt=salt,desired_key_bytes=32,rounds=200)# User-provided Passworduser_password=b'Sachinfromgeekpython'# Deriving Key from User-provided Passworduser_key=bcrypt.kdf(password=user_password,salt=salt,desired_key_bytes=32,rounds=200)# Verifying the Passwordifuser_key==key:print("Welcome to GeekPython.")else:print("Invalid Credential.")
Enter fullscreen modeExit fullscreen mode

The code derives the key from the user-provided password (user_password) and stores it inside theuser_key variable.

Then the code verifies the derived keys from the user-provided password (user_key) and the actual password (password).

Welcome to GeekPython.
Enter fullscreen modeExit fullscreen mode

The output indicates that the key derived from the user-provided password matches the key derived from the actual password.

Customizing Salt

Thegensalt() function accepts two parameters:rounds andprefix, which allow you to customize the number of rounds of hashing to apply to the salt and prefix of the salt.

importbcrypt# Customize Saltsalt=bcrypt.gensalt(rounds=30,prefix=b'2a')# Print Generated Saltprint(salt.decode('utf-8'))
Enter fullscreen modeExit fullscreen mode

The above code customizes the salt generation by passing therounds parameter which is set to30 and theprefix parameter which is set tob'2a' to thegensalt() function.

$2a$30$5uKaXaXVceqCjmKkPf2mnu
Enter fullscreen modeExit fullscreen mode

You can notice that in the beginning after$, above provided2a is prefixed, and just after that30 indicates the number of rounds.

Conclusion

Password hashing prevents exposing the user's actual password to the attackers. The hash function, which is simply a mathematical function is used to produce the hash value of the password.

In this article, you've learned to hash the user's password using thebcrypt library in Python and then check the produced hash value against the user-provided password. Additionally, you've seen theKDF (Key Derivation Function) that adds additional security for hashing.


🏆Other articles you might be interested in if you liked this one

Different methods to convert bytes into a string in Python.

Create a WebSocket server and client in Python.

Create multi-threaded Python programs using a threading module.

Comparing the accuracies of 4 different pre-trained deep learning models?

Upload and display images on the frontend using Flask.

How does the learning rate affect the ML and DL models?


That's all for now

Keep Coding✌✌

Top comments(0)

Subscribe
pic
Create template

Templates let you quickly answer FAQs or store snippets for re-use.

Dismiss

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment'spermalink.

For further actions, you may consider blocking this person and/orreporting abuse

A Python developer obsessed with Machine Learning and Data Science.
  • Location
    Delhi
  • Joined

More fromSachin

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

Log in Create account

[8]ページ先頭

©2009-2025 Movatter.jp