Skip to main content

bcrypt Hashing in Python: Installation & Usage Guide

Hash passwords with bcrypt in Python using the bcrypt library. Includes installation, hashing, verification, and Django integration examples.

Python's bcrypt library provides straightforward bcrypt password hashing. Unlike SHA-256 or MD5, bcrypt is specifically designed for passwords — it is intentionally slow, includes automatic salting, and allows you to increase the cost factor over time as hardware improves. The Python bcrypt package wraps the C implementation of bcrypt, making it fast to install and reliable in production.

How to Use the bcrypt Generator Tool

  1. Enter a password — Type the password or string you want to hash.
  2. Select the work factor — Choose rounds (12 is a sensible default). Higher rounds = slower hash = more secure.
  3. Generate and copy the hash — The output is a 60-character string starting with $2b$. Store this in your database.
  4. Verify with the examples below — Confirm your Python implementation matches the expected output.

Installing and Using bcrypt in Python

# Install
pip install bcrypt

import bcrypt

# Hash a password
password = b'mySecretPassword'  # Must be bytes
hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12))
print(hashed)
# b'$2b$12$...'

# Verify a password
is_valid = bcrypt.checkpw(password, hashed)
print(is_valid)  # True

Using bcrypt with Django

# settings.py — enable bcrypt as the password hasher
PASSWORD_HASHERS = [
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',  # fallback
]

# Install required package
# pip install bcrypt

# Django handles hashing and verification automatically via:
# User.objects.create_user('alice', password='secret')
# user.check_password('secret')  # returns True/False

Why Use bcrypt in Python?

  • Automatic salt generationbcrypt.gensalt() generates a cryptographically random salt. You never need to manage salts manually.
  • Constant-time comparisonbcrypt.checkpw() uses a timing-safe comparison internally, protecting against timing side-channel attacks.
  • Works with all Python web frameworks — Drop-in support for Flask, FastAPI, and Django (with the right hasher configured).
  • Well-maintained package — The Python bcrypt library is actively maintained and widely deployed in production.

Handling String vs. Bytes

The Python bcrypt library requires bytes input. Convert strings with .encode('utf-8') before hashing. The hashed output is also bytes; convert to a string with .decode('utf-8') for storage in a text database column. When verifying, convert the stored hash string back to bytes with .encode('utf-8') before passing to checkpw().

Bcrypt Password Length Limit

bcrypt truncates input at 72 bytes. For passwords longer than 72 characters, consider pre-hashing with SHA-256 before passing to bcrypt — but this is only necessary if your application explicitly supports very long passwords. For typical web applications, the 72-byte limit is not a practical concern.

Generate and test bcrypt hashes with the bcrypt Generator to experiment before writing your Python code.