This library is the default one in Linux distributions to hash the passwords for security purposes. The good thing about using this library is that it uses salt when it has the passwords and produces another hash value even if you’ve used the same password every time. So it is even more powerful when protecting your database than the hashlib library.
1. Hashing In Bcrypt
The bcrypt library can hash the password using simple commands and produce a robust hash that can’t be broken or restored to its original value. Let’s first install the library using the pip3 package installer:
pip3 install bcrypt
After successful installation of the bcrypt library, you can use this below command to hash any string:
import bcrypt # Choose The Password password = b"Thanks" # Hashing The Password hash = bcrypt.hashpw(password, bcrypt.gensalt()) # Printing The Hash print(hash)
The first you will notice is a very long hash with a strong hash created by this library. When you rerun the code, you will get a different hash even if you’ve used the same password, which is the power of the bcrypt library.
2. Check The Password
Bcrypt library is used a lot when developing a web application using Flask or Django. It can also check if this is the correct password to sign in after creating an account. Let’s see an example:
import bcrypt # Choose The Password password = b"Thanks" # Hashing The Password hashing = bcrypt.hashpw(password, bcrypt.gensalt()) # Verifying The Password if bcrypt.checkpw(password, hashing): print("Correct Password") else: print("Wrong Password")
The code will tell you that the password is correct when you run the code. Even the hash is different every time you run the code, which makes it impossible for hackers to get the actual password behind this hash.
The .checkpw() function is used for checking if the password provided is met with the hash or not. It takes two parameters. The first one is the password, and the second one is the hash you’ve generated from the first command when you hash the password.
This function returns a boolean evaluation which means either True or False, and it can then be used with the if statement to make a login to the user or tell him the password is incorrect.
Let’s say you are already a web developer using Flask or Django to build a web application, and you want a ready and straightforward code to use for hashing and checking your user’s passwords. You can use this simple code:
import bcrypt # Hashing The Password def hash_pass(password): return bcrypt.hashpw(str.encode(password), bcrypt.gensalt()) # Checking The Password def check_pass(password, hashing): if hash_pass(password) == hashing: return True return False
I’ve converted the previous codes into two simple functions: hashing and checking the password.
3. Time For Hashing
One of the downsides of the bcrypt library is it takes a long time to generate the hash compared to other libraries such as Hashlib. Let’s see a simple example here:
import bcrypt import time # Choosing The Password password = b"Thanks" # Start Time start = time.time() # Hashing The Password hashing = bcrypt.hashpw(password, bcrypt.gensalt()) # End Time end = time.time() # Printing The Result print(end - start)
It took about 0.51 seconds on my machine, but it can be less or more depending on your computer power.
The time you will get on the screen is in seconds, and we’ve used the difference between the end & start time to calculate how much it took from the bcrypt library to hash the password. Let’s now try another less powerful library, but it can take less time to generate the hash:
import hashlib import time # Use The md5 Hash hashing = hashlib.md5() # Start Time start = time.time() # Add Your Message hashing.update(b"Thanks") # End Time end = time.time() # Printing The Time print(end - start)
My Linux machine took about 0.00014 seconds to generate the hash, which is way less than the previous one. Again, it can take less or more time depending on the power of your computer and maybe the length of the password you are trying to hash.
4. Hashing Multiple Times
Although the bcrypt library is very powerful for hashing the passwords, you can make it even more potent through rounds. This new term, known as round, means hashing the password many times to make it more robust. Let’s see an example:
import bcrypt # Choose The Password password = b"Thanks" # Hashing The Password hash = bcrypt.hashpw(password, bcrypt.gensalt(rounds=5)) # Printing The Hash print(hash)
You can see we’ve added the new parameter called round and set it to 5, which means we will hash this password 5 times and make it stronger.
This method has a downside which will take a very long time for hashing. If you are implementing this into your web application, set a significant number like 15, for example.
Thanks for reading! You’ve seen the power of using the bcrypt library, which is used among big companies to protect their users’ passwords. If you are a web developer using python, I recommend using it to hashing your user’s data and protecting it. But not for passwords but many other things such as credit card info.