
Posted on • Originally published atgeekpython.in
Hashing User Passwords Using bcrypt in Python
Web-based services and websites store hashed versions of your passwords, which means your actual password isn't visible or stored in their database instead a string of fixed-length characters is stored.
Hashing is a security technique used to secure your passwords or texts stored in databases. A hash function is used to generate a string of unique fixed-length characters from the provided password by the user.
Let's see how the hashing is done. In this article, you'll use thebcrypt library to hash the user's password and then compare that hashed password to the actual password in Python. You'll also learn more about the bcrypt library.
Installing bcrypt
Open your terminal window and run the following command to install thebcrypt
library usingpip.
pipinstallbcrypt
Now that thebcrypt
is installed in your system, the next step is to use it for hashing the user's password.
Hash Password using bcrypt
In this section, you'll see the functions provided by thebcrypt
library that will help you generatesalt andhash values.
importbcrypt# Password to Hashmy_password=b'Sachinfromgeekpython'# Generating Saltsalt=bcrypt.gensalt()# Hashing Passwordhash_password=bcrypt.hashpw(password=my_password,salt=salt)print(f"Actual Password:{my_password.decode('utf-8')}")# Print Hashed Passwordprint(f"Hashed Password:{hash_password.decode('utf-8')}")
The above code imports thebcrypt
library for hashing the password. A test password is provided in bytes and is stored inside themy_password
variable.
The code uses thegensalt()
function from thebcrypt
library to generate the salt, a string of characters to enhance security.
The salt is a random and unique string of characters combined with the password before hashing to provide additional security, it will always be unique, if two users have the same password, their hashed passwords will be different.
Then the actual password (my_password
) and salt (salt
) are passed to thehashpw()
function from thebcrypt
library to produce the hash value of the actual password.
Finally, the actual and hashed passwords are decoded and printed.
Actual Password: SachinfromgeekpythonHashed Password:$2b$12$RF6JLXecIE4qujuPgTwkC.GN2BsOmGf8Ji10LyquoBaHkHWUWgiAm
Check Password using bcrypt
Now that you've hashed the password, the next step is to verify the actual password's hash value against the user-provided password.
importbcrypt# Password to Hashmy_password=b'Sachinfromgeekpython'# Generating Saltsalt=bcrypt.gensalt()# Hashing Passwordhash_password=bcrypt.hashpw(password=my_password,salt=salt)# User-provided Passworduser_password=b'Sachinfromgeekpython'# Checking Passwordcheck=bcrypt.checkpw(password=user_password,hashed_password=hash_password)# This will print True or Falseprint(check)# Verifying the Passwordifcheck:print("Welcome to GeekPython.")else:print("Invalid Credential.")
The above code uses thecheckpw()
function from thebcrypt
library to check the user-provided password against the hashed password. The hashed password (hash_password
) and user-provided password (user_password
) are passed inside the function and the result is stored inside thecheck
variable.
Then the code prints thecheck
variable to obtain the result. In the end, anif-else
statement is used to verify the password.
TrueWelcome to GeekPython.
True
in the output above indicates that the hashed password matches the user-provided password, making the first condition true.
Hash Password Using KDF (Key Derivation Function)
KDF (Key Derivation Function) is used to add additional security in password hashing. KDFs are used to derive keys from passwords for authentication purposes while including salt and the number of rounds.
importbcryptpassword=b'Sachinfromgeekpython'salt=bcrypt.gensalt()# Using KDF from bcrypt Libkey=bcrypt.kdf(password=password,salt=salt,desired_key_bytes=32,rounds=200)# Print Generated Keyprint(f"Key:{key}")
The above code uses thekdf()
function from thebcrypt
library to derive a key from the password. The function is passed with four parameters:
password
: This parameter is set to thepassword
variable which contains a byte string.salt
: This parameter is set to thesalt
variable that contains a unique and fixed-length salt.desired_key_bytes
: This parameter is set to32
which is the desired length of the derived key we want. You can set it to your own desired length.rounds
: This parameter is set to200
which is the number of iterations to make the derivation of the key more computationally intense to increase security. The higher the rounds more the security but the more it uses resources and time.
Finally, the result stored in thekey
variable is printed.
Key: b'\xc4#VW\x9a\x16\xdbG?\x11\xa9\xf7\xbd\x88"7+zxo\xfe@\xce\xab\x89\xc3g\x1c\xec~\xbe\xf7'
Verifying the Password with KDF
importbcryptpassword=b'Sachinfromgeekpython'salt=bcrypt.gensalt()# Using KDF from bcrypt Libkey=bcrypt.kdf(password=password,salt=salt,desired_key_bytes=32,rounds=200)# User-provided Passworduser_password=b'Sachinfromgeekpython'# Deriving Key from User-provided Passworduser_key=bcrypt.kdf(password=user_password,salt=salt,desired_key_bytes=32,rounds=200)# Verifying the Passwordifuser_key==key:print("Welcome to GeekPython.")else:print("Invalid Credential.")
The code derives the key from the user-provided password (user_password
) and stores it inside theuser_key
variable.
Then the code verifies the derived keys from the user-provided password (user_key
) and the actual password (password
).
Welcome to GeekPython.
The output indicates that the key derived from the user-provided password matches the key derived from the actual password.
Customizing Salt
Thegensalt()
function accepts two parameters:rounds
andprefix
, which allow you to customize the number of rounds of hashing to apply to the salt and prefix of the salt.
importbcrypt# Customize Saltsalt=bcrypt.gensalt(rounds=30,prefix=b'2a')# Print Generated Saltprint(salt.decode('utf-8'))
The above code customizes the salt generation by passing therounds
parameter which is set to30
and theprefix
parameter which is set tob'2a'
to thegensalt()
function.
$2a$30$5uKaXaXVceqCjmKkPf2mnu
You can notice that in the beginning after$
, above provided2a
is prefixed, and just after that30
indicates the number of rounds.
Conclusion
Password hashing prevents exposing the user's actual password to the attackers. The hash function, which is simply a mathematical function is used to produce the hash value of the password.
In this article, you've learned to hash the user's password using thebcrypt
library in Python and then check the produced hash value against the user-provided password. Additionally, you've seen theKDF (Key Derivation Function) that adds additional security for hashing.
🏆Other articles you might be interested in if you liked this one
✅Different methods to convert bytes into a string in Python.
✅Create a WebSocket server and client in Python.
✅Create multi-threaded Python programs using a threading module.
✅Comparing the accuracies of 4 different pre-trained deep learning models?
✅Upload and display images on the frontend using Flask.
✅How does the learning rate affect the ML and DL models?
That's all for now
Keep Coding✌✌
Top comments(0)
For further actions, you may consider blocking this person and/orreporting abuse