Bird
Raised Fist0
FastAPIframework~8 mins

Password hashing with bcrypt in FastAPI - Performance & Optimization

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Performance: Password hashing with bcrypt
MEDIUM IMPACT
This affects server response time and user experience during authentication by adding CPU work for hashing passwords securely.
Hashing user passwords securely during signup or login
FastAPI
import bcrypt

password = b"user_password"
hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12))
Higher cost factor increases CPU time to slow down brute force attacks, improving security.
📈 Performance Gainadds ~100-200ms CPU time per hash, balancing security and user wait time
Hashing user passwords securely during signup or login
FastAPI
import bcrypt

password = b"user_password"
hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=4))
Using a very low cost factor (rounds=4) makes hashing fast but weakens security, risking password cracking.
📉 Performance Costfast hashing, minimal CPU load, but poor security
Performance Comparison
PatternCPU LoadBlockingSecurity StrengthVerdict
Low cost factor (rounds=4)Low CPUMinimal blockingWeak security[X] Bad
Recommended cost factor (rounds=12)Medium CPUModerate blockingStrong security[OK] Good
Synchronous verificationMedium CPUBlocks event loopStrong security[X] Bad
Asynchronous verificationMedium CPUNon-blockingStrong security[OK] Good
Rendering Pipeline
Password hashing with bcrypt happens on the server side before sending any response, so it does not affect browser rendering directly but impacts server response time.
Server CPU processing
Response time
⚠️ BottleneckCPU-intensive hashing step delays response generation
Optimization Tips
1Use a bcrypt cost factor that balances security and acceptable server response time (commonly 12).
2Perform bcrypt hashing and verification asynchronously to avoid blocking server event loop.
3Avoid very low cost factors that speed up hashing but reduce password security.
Performance Quiz - 3 Questions
Test your performance knowledge
What is the main performance cost of using bcrypt for password hashing in a FastAPI app?
AIncreased network bandwidth
BMore memory usage on client browser
CCPU time spent hashing passwords
DLonger database query times
DevTools: Network and Performance panels
How to check: Use Network panel to measure server response time; use Performance panel to record and analyze server-side delays if possible with backend profiling tools.
What to look for: Look for increased server response time during login/signup requests indicating bcrypt hashing cost; check if UI is blocked waiting for response.

Practice

(1/5)
1. What is the main purpose of using bcrypt for password hashing in FastAPI?
easy
A. To speed up the login process by caching passwords
B. To encrypt passwords so they can be decrypted later
C. To securely store passwords by converting them into a hashed format
D. To generate random passwords for users automatically

Solution

  1. Step 1: Understand password hashing purpose

    Password hashing converts passwords into a secure format that cannot be reversed, protecting user data.

  2. Step 2: Identify bcrypt role in FastAPI

    bcrypt is used to hash passwords securely, not to encrypt or cache them.

  3. Final Answer:

    To securely store passwords by converting them into a hashed format -> Option C

  4. Quick Check:

    Password hashing = secure storage [OK]
Hint: Hashing hides passwords, not encrypts or caches them [OK]
Common Mistakes:
  • Confusing hashing with encryption
  • Thinking bcrypt speeds up login by caching
  • Believing bcrypt generates passwords automatically
2. Which of the following is the correct way to import and create a bcrypt password context using passlib in FastAPI?
easy
A. from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
B. import bcrypt pwd_context = bcrypt.PasswordContext()
C. from fastapi.security import bcrypt pwd_context = bcrypt.Context()
D. import passlib pwd_context = passlib.bcrypt()

Solution

  1. Step 1: Recall correct import for bcrypt context

    Passlib's CryptContext is imported from passlib.context and configured with schemes=["bcrypt"].

  2. Step 2: Check syntax correctness

    from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") correctly imports and creates pwd_context with bcrypt scheme and deprecated="auto".

  3. Final Answer:

    from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") -> Option A

  4. Quick Check:

    Correct import and setup = from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") [OK]
Hint: Use CryptContext from passlib.context with schemes=['bcrypt'] [OK]
Common Mistakes:
  • Importing bcrypt directly instead of CryptContext
  • Using wrong module names like fastapi.security
  • Calling non-existent constructors
3. Given the following code snippet, what will be the output of print(pwd_context.verify('secret123', hashed_password)) if hashed_password is generated by hashing 'secret123'? 
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
hashed_password = pwd_context.hash('secret123')
print(pwd_context.verify('secret123', hashed_password))
medium
A. Raises a TypeError
B. True
C. False
D. Prints the hashed password string

Solution

  1. Step 1: Understand pwd_context.hash and verify

    pwd_context.hash creates a hashed password from the plain text. verify checks if the plain text matches the hash.

  2. Step 2: Analyze the verify call

    Since 'secret123' was hashed and then verified against the same string, verify returns True.

  3. Final Answer:

    True -> Option B

  4. Quick Check:

    Verify correct password = True [OK]
Hint: Verify returns True if password matches hash [OK]
Common Mistakes:
  • Expecting verify to return the hash
  • Confusing verify output with hash output
  • Thinking verify raises errors on match
4. Identify the error in this FastAPI password hashing code snippet: 
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"])

password = "mypassword"
hashed = pwd_context.hash(password)

if pwd_context.verify(password, hashed):
    print("Password verified")
else:
    print("Verification failed")
medium
A. Using verify method incorrectly with arguments reversed
B. No error; code works correctly
C. Not importing bcrypt module explicitly
D. Missing deprecated="auto" in CryptContext initialization

Solution

  1. Step 1: Check CryptContext initialization

    Best practice is to include deprecated="auto" to handle scheme deprecation warnings.

  2. Step 2: Verify method usage and imports

    verify is used correctly with (plain, hashed). bcrypt import is not needed explicitly with passlib.

  3. Final Answer:

    Missing deprecated="auto" in CryptContext initialization -> Option D

  4. Quick Check:

    Include deprecated="auto" to avoid warnings [OK]
Hint: Always add deprecated="auto" in CryptContext [OK]
Common Mistakes:
  • Omitting deprecated="auto" causes warnings
  • Reversing arguments in verify method
  • Importing bcrypt separately when unnecessary
5. You want to create a FastAPI endpoint that accepts a user's plain password, hashes it with bcrypt, and stores it securely. Which of the following code snippets correctly implements this functionality considering best practices?
hard
A. from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"}
B. from fastapi import FastAPI import bcrypt app = FastAPI() @app.post("/register") def register(password: str): hashed_password = bcrypt.hashpw(password, bcrypt.gensalt()) return {"hashed": hashed_password}
C. from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"]) @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password.encode()) return {"msg": "Password hashed"}
D. from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: bytes): hashed_password = pwd_context.hash(password) return {"msg": "User registered"}

Solution

  1. Step 1: Check correct use of passlib CryptContext and hashing

    from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"} correctly imports CryptContext with deprecated="auto" and hashes the plain string password.

  2. Step 2: Validate FastAPI endpoint and parameter types

    from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"} uses async def with password as str, which is standard for FastAPI input. It hashes and comments storing securely.

  3. Step 3: Compare other options for errors

    from fastapi import FastAPI import bcrypt app = FastAPI() @app.post("/register") def register(password: str): hashed_password = bcrypt.hashpw(password, bcrypt.gensalt()) return {"hashed": hashed_password} uses bcrypt module incorrectly with str instead of bytes; from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"]) @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password.encode()) return {"msg": "Password hashed"} hashes password.encode() but misses deprecated="auto"; from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: bytes): hashed_password = pwd_context.hash(password) return {"msg": "User registered"} expects bytes input which is unusual for FastAPI JSON input.

  4. Final Answer:

    from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"} -> Option A

  5. Quick Check:

    Use passlib CryptContext with str input and deprecated="auto" [OK]
Hint: Use passlib CryptContext with str password and deprecated="auto" [OK]
Common Mistakes:
  • Using bcrypt module directly with wrong input types
  • Omitting deprecated="auto" in CryptContext
  • Accepting password as bytes instead of str in FastAPI