Home/ Questions/Q 8210755
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T10:11:00+00:00

At the moment I’m trying to build a log in system with a very

  • 0

At the moment I’m trying to build a log in system with a very high security.

So I want to use bcrypt and I’ve also found a 3rd party library,
py-bcrypt.

But the author said it is a pure python implementation.

Now I read somewhere that it is not recommended to use bcrypt in python only because it is too slow and this results in a security leak. bcrypt should be implemented in C.

Can anyone confirm this? Now what should I do?

Should I use:

  • bcrypt (python)
  • SHA512 (from hashlib)
  • something different

I’m using Google App Engine

EDIT:
http://packages.python.org/passlib/lib/passlib.hash.bcrypt.html#bcrypt-backends

It should be noted that the pure-python implementation (#4) is too
slow to be useable, given the number of rounds currently required for
security. Because of this, it is disabled by default, unless the
environment variable PASSLIB_BUILTIN_BCRYPT=”enabled” is set.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    How about comparing the two? Here is code to hash a password of 8000 random bits and corresponding times:

    Hashlib:

    #!/usr/bin/env python
import hashlib
import random

password = str(random.getrandbits(8000))
print hashlib.sha512(password).hexdigest()

    Hashlib including salt:

    #!/usr/bin/env python
import hashlib
import random

password = str(random.getrandbits(8000))
salt = str(random.getrandbits(256))
print hashlib.sha512(password + salt).hexdigest()

    bcrypt:

    #!/usr/bin/env python
import bcrypt
import random

password = str(random.getrandbits(8000))
print bcrypt.hashpw(password,bcrypt.gensalt())

    Timing bcrypt:

    $ time ./bcrypt_test.py 
$2a$12$Om3a3zKsCNAM/SLB3hq5w.HYukFwn4CJ73rjXYNUPgqckUx2uLEmG

real    0m0.401s
user    0m0.313s
sys 0m0.013s

    Timing hashlib:

    $ time ./hashlib_test.py 
9e37eb4f164bbb1808833297d0244327e4faac109cd92729228f6e36d75d23044ac13a7a1907515cd6db44474b244678779e3ae4e97d8355c2069332aae52d61

real    0m0.032s
user    0m0.021s
sys 0m0.010s
$
    • 0