Easy Password Hashing Using bcrypt in Python

Sachin Pal
5 min readNov 13, 2023

Web-based services and websites store hashed versions of your passwords, which means your actual password isn’t visible or stored in their database instead a string of fixed-length characters is stored.

Hashing is a security technique used to secure your passwords or texts stored in databases. A hash function is used to generate a string of unique fixed-length characters from the provided password by the user.

Let’s see how the hashing is done. In this article, you’ll use the bcrypt library to hash the user’s password and then compare that hashed password to the actual password in Python. You’ll also learn more about the bcrypt library.

Installing bcrypt

Open your terminal window and run the following command to install the bcrypt library using pip.

pip install bcrypt

Now that the bcrypt is installed in your system, the next step is to use it for hashing the user's password.

Hash Password using bcrypt

In this section, you’ll see the functions provided by the bcrypt library that will help you generate salt and hash values.

import bcrypt

# Password to Hash
my_password = b'Sachinfromgeekpython'

# Generating Salt
salt = bcrypt.gensalt()

# Hashing Password
hash_password = bcrypt.hashpw(
password=my_password,
salt=salt
)

print(f"Actual Password: {my_password.decode('utf-8')}")
# Print Hashed Password
print(f"Hashed Password: {hash_password.decode('utf-8')}")

The above code imports the bcrypt library for hashing the password. A test password is provided in bytes and is stored inside the my_password variable.

The code uses the gensalt() function from the bcrypt library to generate the salt, a string of characters to enhance security.

The salt is a random and unique string of characters combined with the password before hashing to provide additional security, it will always be unique, if two users have the same password, their hashed passwords will be different.

Then the actual password (my_password) and salt (salt) are passed to the hashpw() function from the bcrypt library to produce the hash value of the actual password.

Finally, the actual and hashed passwords are decoded and printed.

Actual Password: Sachinfromgeekpython
Hashed Password: $2b$12$RF6JLXecIE4qujuPgTwkC.GN2BsOmGf8Ji10LyquoBaHkHWUWgiAm

Check Password using bcrypt

Now that you’ve hashed the password, the next step is to verify the actual password’s hash value against the user-provided password.

import bcrypt

# Password to Hash
my_password = b'Sachinfromgeekpython'

# Generating Salt
salt = bcrypt.gensalt()

# Hashing Password
hash_password = bcrypt.hashpw(
password=my_password,
salt=salt
)

# User-provided Password
user_password = b'Sachinfromgeekpython'

# Checking Password
check = bcrypt.checkpw(
password=user_password,
hashed_password=hash_password
)

# This will print True or False
print(check)

# Verifying the Password
if check:
print("Welcome to GeekPython.")
else:
print("Invalid Credential.")

The above code uses the checkpw() function from the bcrypt library to check the user-provided password against the hashed password. The hashed password (hash_password) and user-provided password (user_password) are passed inside the function and the result is stored inside the check variable.

Then the code prints the check variable to obtain the result. In the end, an if-else statement is used to verify the password.

True
Welcome to GeekPython.

True in the output above indicates that the hashed password matches the user-provided password, making the first condition true.

Hash Password Using KDF (Key Derivation Function)

KDF (Key Derivation Function) is used to add additional security in password hashing. KDFs are used to derive keys from passwords for authentication purposes while including salt and the number of rounds.

import bcrypt

password = b'Sachinfromgeekpython'
salt = bcrypt.gensalt()

# Using KDF from bcrypt Lib
key = bcrypt.kdf(
password=password,
salt=salt,
desired_key_bytes=32,
rounds=200
)

# Print Generated Key
print(f"Key: {key}")

The above code uses the kdf() function from the bcrypt library to derive a key from the password. The function is passed with four parameters:

  • password: This parameter is set to the password variable which contains a byte string.
  • salt: This parameter is set to the salt variable that contains a unique and fixed-length salt.
  • desired_key_bytes: This parameter is set to 32 which is the desired length of the derived key we want. You can set it to your own desired length.
  • rounds: This parameter is set to 200 which is the number of iterations to make the derivation of the key more computationally intense to increase security. The higher the rounds more the security but the more it uses resources and time.

Finally, the result stored in the key variable is printed.

Key: b'\xc4#VW\x9a\x16\xdbG?\x11\xa9\xf7\xbd\x88"7+zxo\xfe@\xce\xab\x89\xc3g\x1c\xec~\xbe\xf7'

Verifying the Password with KDF

import bcrypt

password = b'Sachinfromgeekpython'
salt = bcrypt.gensalt()

# Using KDF from bcrypt Lib
key = bcrypt.kdf(
password=password,
salt=salt,
desired_key_bytes=32,
rounds=200
)

# User-provided Password
user_password = b'Sachinfromgeekpython'

# Deriving Key from User-provided Password
user_key = bcrypt.kdf(
password=user_password,
salt=salt,
desired_key_bytes=32,
rounds=200
)

# Verifying the Password
if user_key == key:
print("Welcome to GeekPython.")
else:
print("Invalid Credential.")

The code derives the key from the user-provided password (user_password) and stores it inside the user_key variable.

Then the code verifies the derived keys from the user-provided password (user_key) and the actual password (password).

Welcome to GeekPython.

The output indicates that the key derived from the user-provided password matches the key derived from the actual password.

Customizing Salt

The gensalt() function accepts two parameters: rounds and prefix, which allow you to customize the number of rounds of hashing to apply to the salt and prefix of the salt.

import bcrypt

# Customize Salt
salt = bcrypt.gensalt(
rounds=30,
prefix=b'2a'
)

# Print Generated Salt
print(salt.decode('utf-8'))

The above code customizes the salt generation by passing the rounds parameter which is set to 30 and the prefix parameter which is set to b'2a' to the gensalt() function.

$2a$30$5uKaXaXVceqCjmKkPf2mnu

You can notice that in the beginning after $, above provided 2a is prefixed, and just after that 30 indicates the number of rounds.

Conclusion

Password hashing prevents exposing the user’s actual password to the attackers. The hash function, which is simply a mathematical function is used to produce the hash value of the password.

In this article, you’ve learned to hash the user’s password using the bcrypt library in Python and then check the produced hash value against the user-provided password. Additionally, you've seen the KDF (Key Derivation Function) that adds additional security for hashing.

That’s all for now

Keep Coding✌✌

--

--

Sachin Pal

I am a self-taught Python developer who loves to write on Python Programming and quite obsessed with Machine Learning.