0
0
Flaskframework~10 mins

Password storage best practices in Flask - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Password storage best practices
User enters password
Generate salt
Hash password + salt
Store salt + hash in DB
User login attempt
Retrieve salt + hash from DB
Hash entered password + salt
Compare hashes
Grant or deny access
This flow shows how a password is salted and hashed before storage, then verified on login by hashing the entered password with the stored salt and comparing hashes.
Execution Sample
Flask
from flask import Flask, request
from werkzeug.security import generate_password_hash, check_password_hash

# Store hashed password
hashed = generate_password_hash('mypassword')

# Verify password
check_password_hash(hashed, 'mypassword')
This code hashes a password securely and then checks if a given password matches the stored hash.
Execution Table
StepActionInputOutputNotes
1User enters password'mypassword'Password stringRaw password input
2Generate salt and hash'mypassword'Hashed password stringSalt is generated internally by generate_password_hash
3Store hashed passwordHashed password stringSaved in databaseOnly hashed password stored, never raw password
4User login attempt'mypassword'Password stringUser inputs password again
5Retrieve stored hashUser IDHashed password stringGet stored hash from DB
6Hash entered password with salt'mypassword'Hashed password stringSalt is extracted from stored hash internally
7Compare hashesHashed entered password vs stored hashTrue or FalseTrue if passwords match
8Grant or deny accessComparison resultAccess granted or deniedAccess granted only if True
💡 Process stops after access is granted or denied based on password match
Variable Tracker
VariableStartAfter Step 2After Step 3After Step 5After Step 6After Step 7
passwordNone'mypassword''mypassword''mypassword''mypassword''mypassword'
saltNoneGenerated internallyStored internally in hashRetrieved internallyUsed internallyUsed internally
hashed_passwordNoneGenerated hash stringStored in DBRetrieved from DBComputed from inputCompared
check_resultNoneNoneNoneNoneNoneTrue or False
Key Moments - 3 Insights
Why do we never store the raw password in the database?
Storing raw passwords is risky because if the database is leaked, attackers get all passwords. The execution_table shows we only store the hashed password (Step 3), which protects raw passwords.
What is the role of salt in password hashing?
Salt adds random data to the password before hashing to prevent attackers from using precomputed tables. The salt is generated and stored inside the hash (Step 2 and Step 3) and reused during verification (Step 6).
How does check_password_hash verify the password?
It extracts the salt from the stored hash, hashes the entered password with it, then compares hashes (Step 6 and Step 7). This ensures the entered password matches without storing raw passwords.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is stored in the database after Step 3?
AHashed password string with salt
BSalt only
CRaw password string
DUser's plain text password
💡 Hint
Check Step 3 in execution_table where it says what is stored in the database.
At which step does the system compare the entered password with the stored password?
AStep 5
BStep 6
CStep 7
DStep 8
💡 Hint
Look at the 'Compare hashes' action in the execution_table.
If the salt was not used, how would the execution_table change?
AStep 6 would not hash the password
BStep 2 would not generate salt
CStep 7 would always return True
DStep 3 would store raw password
💡 Hint
Salt generation is shown in Step 2; without salt, that step changes.
Concept Snapshot
Password Storage Best Practices in Flask:
- Never store raw passwords.
- Use generate_password_hash() to hash with salt.
- Store only the hashed password.
- Use check_password_hash() to verify passwords.
- Salt is handled internally to protect against attacks.
Full Transcript
This visual execution shows how password storage works in Flask using best practices. When a user enters a password, the system generates a salt and hashes the password combined with the salt. This hashed password is stored in the database, never the raw password. On login, the system retrieves the stored hash and salt, hashes the entered password with the same salt, and compares the two hashes. If they match, access is granted. This process protects user passwords even if the database is compromised.