0
0
FlaskHow-ToBeginner · 3 min read

How to Use Flask-Bcrypt for Password Hashing in Flask

Use Flask-Bcrypt by initializing it with your Flask app, then call generate_password_hash() to hash passwords and check_password_hash() to verify them. This helps securely store passwords and verify user logins safely.
📐

Syntax

Flask-Bcrypt provides two main methods: generate_password_hash(password) to create a hashed password, and check_password_hash(hashed_password, password) to verify a password against its hash.

You first create a Bcrypt object by passing your Flask app instance. Then use these methods to handle password security.

python
from flask_bcrypt import Bcrypt
from flask import Flask

app = Flask(__name__)
bcrypt = Bcrypt(app)

# Hash a password
hashed_password = bcrypt.generate_password_hash('mysecret').decode('utf-8')

# Check a password
is_correct = bcrypt.check_password_hash(hashed_password, 'mysecret')
💻

Example

This example shows a simple Flask app that hashes a password and then verifies it. It prints whether the password check passed or failed.

python
from flask import Flask
from flask_bcrypt import Bcrypt

app = Flask(__name__)
bcrypt = Bcrypt(app)

@app.route('/')
def index():
    password = 'mypassword123'
    hashed = bcrypt.generate_password_hash(password).decode('utf-8')
    check = bcrypt.check_password_hash(hashed, 'mypassword123')
    return f'Password hashed: {hashed}<br>Password check passed: {check}'

if __name__ == '__main__':
    app.run(debug=True)
Output
Password hashed: $2b$12$...<br>Password check passed: True
⚠️

Common Pitfalls

  • Not decoding the hashed password bytes to a string before storing or displaying it can cause errors.
  • Using check_password_hash with the wrong order of arguments will always fail.
  • Storing plain passwords instead of hashed ones is insecure.
  • Reusing the same salt manually is unnecessary; Flask-Bcrypt handles it automatically.
python
from flask_bcrypt import Bcrypt

bcrypt = Bcrypt()

# Wrong: not decoding hash (bytes instead of string)
hash_bytes = bcrypt.generate_password_hash('pass')
print(type(hash_bytes))  # <class 'bytes'>

# Right: decode to string
hash_str = hash_bytes.decode('utf-8')
print(type(hash_str))  # <class 'str'>

# Wrong: wrong argument order
# bcrypt.check_password_hash('password', hash_str)  # This will fail

# Right:
correct = bcrypt.check_password_hash(hash_str, 'pass')  # True
Output
<class 'bytes'> <class 'str'>
📊

Quick Reference

Flask-Bcrypt Cheat Sheet:

  • Bcrypt(app): Initialize with Flask app.
  • generate_password_hash(password): Hash a password (returns bytes).
  • .decode('utf-8'): Convert hash bytes to string for storage.
  • check_password_hash(hashed_password, password): Verify password.

Key Takeaways

Always hash passwords with Flask-Bcrypt before storing them to keep user data safe.
Use generate_password_hash() to create a secure hash and decode it to a string before saving.
Verify passwords with check_password_hash() by passing the stored hash and the user input.
Avoid common mistakes like wrong argument order or storing raw bytes instead of strings.
Flask-Bcrypt automatically handles salts and uses strong hashing algorithms for security.

Related by keyword

Flask-restful vs flask-restx: Key Differences and When to Use EachREST APIHow to Run Database Migration in Flask with Flask-MigrateDatabaseHow to Use Flask-WTF for Form Handling in FlaskFormsHow to Use flask-cors for Cross-Origin Requests in FlaskREST APIHow to Use flask-restx: Simple API Development with FlaskREST API

Up next

How to Use Flash Messages in Flask: Simple GuideHow to Validate Form in Flask: Simple Guide with ExampleHow to Create a CRUD API in Flask: Simple GuideHow to Create REST API in Flask: Simple Guide with Example

More in Authentication

How to Create Login in Flask: Simple Step-by-Step GuideHow to Create User Registration in Flask: Simple GuideHow to Hash Password in Flask Securely with WerkzeugHow to Implement Authentication in Flask: Simple Guide