Bcrypt is a library developed back in 1999 using the Blowfish cipher. It is a robust encryption algorithm and is still unbroken for years, making it one of the most secure algorithms for encryption. This library can be worked with many programming languages, not only python but also PHP & Javascript, to name a few.
This library is the default one in Linux distributions to hash the passwords for security purposes. The good thing about using this library is that it uses salt when it has the passwords and produces another hash value even if you’ve used the same password every time. So it is even more powerful when protecting your database than the hashlib library.
1. Hashing In Bcrypt
The bcrypt library can hash the password using simple commands and produce a robust hash that can’t be broken or restored to its original value. Let’s first install the library using the pip3 package installer:
pip3 install bcrypt
After successful installation of the bcrypt library, you can use this below command to hash any string:
import bcrypt
# Choose The Password
password = b"Thanks"
# Hashing The Password
hash = bcrypt.hashpw(password, bcrypt.gensalt())
# Printing The Hash
print(hash)
The first you will notice is a very long hash with a strong hash created by this library. When you rerun the code, you will get a different hash even if you’ve used the same password, which is the power of the bcrypt library.
2. Check The Password
Bcrypt library is used a lot when developing a web application using Flask or Django. It can also check if this is the correct password to sign in after creating an account. Let’s see an example:
import bcrypt
# Choose The Password
password = b"Thanks"
# Hashing The Password
hashing = bcrypt.hashpw(password, bcrypt.gensalt())
# Verifying The Password
if bcrypt.checkpw(password, hashing):
print("Correct Password")
else:
print("Wrong Password")
The code will tell you that the password is correct when you run the code. Even the hash is different every time you run the code, which makes it impossible for hackers to get the actual password behind this hash.
The .checkpw() function is used for checking if the password provided is met with the hash or not. It takes two parameters. The first one is the password, and the second one is the hash you’ve generated from the first command when you hash the password.
This function returns a boolean evaluation which means either True or False, and it can then be used with the if statement to make a login to the user or tell him the password is incorrect.
Let’s say you are already a web developer using Flask or Django to build a web application, and you want a ready and straightforward code to use for hashing and checking your user’s passwords. You can use this simple code:
import bcrypt
# Hashing The Password
def hash_pass(password):
return bcrypt.hashpw(str.encode(password), bcrypt.gensalt())
# Checking The Password
def check_pass(password, hashing):
if hash_pass(password) == hashing:
return True
return False
I’ve converted the previous codes into two simple functions: hashing and checking the password.
3. Time For Hashing
One of the downsides of the bcrypt library is it takes a long time to generate the hash compared to other libraries such as Hashlib. Let’s see a simple example here:
import bcrypt
import time
# Choosing The Password
password = b"Thanks"
# Start Time
start = time.time()
# Hashing The Password
hashing = bcrypt.hashpw(password, bcrypt.gensalt())
# End Time
end = time.time()
# Printing The Result
print(end - start)
It took about 0.51 seconds on my machine, but it can be less or more depending on your computer power.
The time you will get on the screen is in seconds, and we’ve used the difference between the end & start time to calculate how much it took from the bcrypt library to hash the password. Let’s now try another less powerful library, but it can take less time to generate the hash:
import hashlib
import time
# Use The md5 Hash
hashing = hashlib.md5()
# Start Time
start = time.time()
# Add Your Message
hashing.update(b"Thanks")
# End Time
end = time.time()
# Printing The Time
print(end - start)
My Linux machine took about 0.00014 seconds to generate the hash, which is way less than the previous one. Again, it can take less or more time depending on the power of your computer and maybe the length of the password you are trying to hash.
4. Hashing Multiple Times
Although the bcrypt library is very powerful for hashing the passwords, you can make it even more potent through rounds. This new term, known as round, means hashing the password many times to make it more robust. Let’s see an example:
import bcrypt
# Choose The Password
password = b"Thanks"
# Hashing The Password
hash = bcrypt.hashpw(password, bcrypt.gensalt(rounds=5))
# Printing The Hash
print(hash)
You can see we’ve added the new parameter called round and set it to 5, which means we will hash this password 5 times and make it stronger.
This method has a downside which will take a very long time for hashing. If you are implementing this into your web application, set a significant number like 15, for example.
Conclusion
Thanks for reading! You’ve seen the power of using the bcrypt library, which is used among big companies to protect their users’ passwords. If you are a web developer using python, I recommend using it to hashing your user’s data and protecting it. But not for passwords but many other things such as credit card info.