BCryptSHA256PasswordHasher
Secure password hashing using the bcrypt algorithm (recommended)
Attributes
| Attribute | Type | Description |
|---|---|---|
| algorithm | string = "bcrypt_sha256" | The unique identifier for this hashing algorithm used in the encoded password string. |
| digest | callable = hashlib.sha256 | The hashing function used to preprocess the password to prevent truncation before passing it to bcrypt. |
| library | tuple = ("bcrypt", "bcrypt") | A tuple containing the library name and the module name required to perform bcrypt hashing. |
| rounds | int = 12 | The logarithmic work factor that determines the number of hashing iterations to perform. |
Constructor
Signature
def BCryptSHA256PasswordHasher()
Methods
salt()
@classmethod
def salt() - > bytes
Generates a new random salt using the bcrypt library with the configured number of rounds.
Returns
| Type | Description |
|---|---|
bytes | A randomly generated salt suitable for bcrypt hashing. |
encode()
@classmethod
def encode(
password: string,
salt: string
) - > string
Hashes the password using SHA-256 followed by bcrypt to prevent truncation and ensure secure storage.
Parameters
| Name | Type | Description |
|---|---|---|
| password | string | The plain-text password to be hashed. |
| salt | string | The salt value used to randomize the hashing process. |
Returns
| Type | Description |
|---|---|
string | A formatted string containing the algorithm name and the resulting bcrypt hash. |
decode()
@classmethod
def decode(
encoded: string
) - > dict
Parses an encoded password string into its constituent components like work factor and salt.
Parameters
| Name | Type | Description |
|---|---|---|
| encoded | string | The full encoded password string stored in the database. |
Returns
| Type | Description |
|---|---|
dict | A dictionary containing the algorithm, work factor, salt, and checksum extracted from the hash. |
verify()
@classmethod
def verify(
password: string,
encoded: string
) - > boolean
Checks if a plain-text password matches the provided encoded hash using a constant-time comparison.
Parameters
| Name | Type | Description |
|---|---|---|
| password | string | The plain-text password to verify. |
| encoded | string | The stored hash string to compare against. |
Returns
| Type | Description |
|---|---|
boolean | True if the password matches the hash, False otherwise. |
safe_summary()
@classmethod
def safe_summary(
encoded: string
) - > dict
Returns a summary of the hashing metadata with sensitive information like the salt and checksum masked.
Parameters
| Name | Type | Description |
|---|---|---|
| encoded | string | The encoded password string to summarize. |
Returns
| Type | Description |
|---|---|
dict | A dictionary of descriptive metadata suitable for logging or administrative displays. |
must_update()
@classmethod
def must_update(
encoded: string
) - > boolean
Determines if the password should be re-hashed because the stored work factor differs from the current system setting.
Parameters
| Name | Type | Description |
|---|---|---|
| encoded | string | The encoded password string to check for obsolescence. |
Returns
| Type | Description |
|---|---|
boolean | True if the work factor is outdated and the password needs re-encoding. |
harden_runtime()
@classmethod
def harden_runtime(
password: string,
encoded: string
)
Artificially increases the computation time for legacy hashes to match the current work factor, mitigating timing attacks.
Parameters
| Name | Type | Description |
|---|---|---|
| password | string | The plain-text password used for the additional hashing iterations. |
| encoded | string | The encoded hash used to determine the necessary amount of additional work. |