Hashing Passwords in Python with BCrypt

In this article, we will see how to hash passwords in Python with BCrypt. Storing passwords in plain text is a bad practice as it is vulnerable to various hacking attempts. That's why it is recommended to keep them in a hashed form. 

What is hashing?

It's a process of converting one string to another using a hash function. There are various types of hash functions but there are some basic similarities that are satisfied by all of them is that hashing is an irreversible process. i.e. conversion should be only one way, the length of hash should be fixed, and an input string should uniquely correspond with a hash so that we can compare them later, this makes it ideal for passwords and authentication.

Hash a Password in Python Using Bcrypt

Bcrypt is a password hashing function designed by Nelis Provos and David Mazières. Bcrypt uses strong cryptography to hash and salts password based on the Blowfish cipher. To make encryption stronger we can increase the "cost factor" so it can be increased as computers become faster. It is also intended to be slow, to make the brute force attacks slower and harder.

To install Bcrypt use the command - 

pip install bcrypt

The functions in Bcrypt used -

• bcrypt.gensalt() -  It is used to generate salt. Salt is a pseudorandom string that is added to the password. Since hashing always gives the same output for the same input so if someone has access to the database, hashing can be defeated. for that salt is added at end of the password before hashing. It doesn't need any arguments and returns a pseudorandom string.
• bcrypt.hashpw() - It is used to create the final hash which is stored in a database.
  • Arguments - We can pass Salt and Password in form of bytecode.
  • Return value - If hashing is successful, it returns a hash string.

Hashing passwords

To use bcrypt, you'll need to import bcrypt module, After that the bcrypt.hashpw() function takes 2 arguments: A string (bytes) and Salt. Salt is random data used in the hashing function. Let's hash a password and print it in the following examples.

Example 1:

import bcrypt

# example password
password = 'password123'

# converting password to array of bytes
bytes = password.encode('utf-8')

# generating the salt
salt = bcrypt.gensalt()

# Hashing the password
hash = bcrypt.hashpw(bytes, salt)

print(hash)

Output: 

Example 2:

Now let's just change the input password a little bit to see the behavior of hashing.

import bcrypt

# example password
password = 'passwordabc'

# converting password to array of bytes
bytes = password.encode('utf-8')

# generating the salt
salt = bcrypt.gensalt()

# Hashing the password
hash = bcrypt.hashpw(bytes, salt)

print(hash)

Output:

Checking passwords

The following example checks a password against a hashed value.

Example 1:

Here we will check whether the user has entered the correct password or not, for that we can use bcrypt.checkpw(password, hash). At first, let's assume the user entered the wrong password.

import bcrypt

# example password
password = 'passwordabc'

# converting password to array of bytes
bytes = password.encode('utf-8')

# generating the salt
salt = bcrypt.gensalt()

# Hashing the password
hash = bcrypt.hashpw(bytes, salt)

# Taking user entered password 
userPassword =  'password000'

# encoding user password
userBytes = userPassword.encode('utf-8')

# checking password
result = bcrypt.checkpw(userBytes, hash)

print(result)

Output:

Example 2:

Now let's see what happens when passwords are matched:

import bcrypt

# example password
password = 'passwordabc'

# converting password to array of bytes
bytes = password.encode('utf-8')

# generating the salt
salt = bcrypt.gensalt()

# Hashing the password
hash = bcrypt.hashpw(bytes, salt)

# Taking user entered password 
userPassword =  'passwordabc'

# encoding user password
userBytes = userPassword.encode('utf-8')

# checking password
result = bcrypt.checkpw(userBytes, hash)

print(result)

Output: