After this lesson, you will be able to: Explain how passwords are stored securely and hash a password yourself with Python and bcrypt.
Passwords are still the gateway to almost every account on the internet. Storing them safely, and recovering them safely when users forget, is harder than it looks. This lesson covers the math, the mistakes, and a hands-on hashing exercise.
Storing passwords in plaintext means a single database breach exposes every user's credential. Worse, most users reuse passwords, so a leak from one site breaks logins on dozens of others. Plaintext storage has been industry malpractice since the 1970s, yet breaches still find it in production.
A hash function (bcrypt, argon2, scrypt) turns a password into a fixed-length string in a way that can't be reversed. When a user logs in, you hash the input and compare hashes, the original password never sits in your database. Modern algorithms also add a unique salt per password and deliberately slow themselves down to resist brute-force.
Install bcrypt with pip, then hash a password and verify it.
import bcryptpassword = b"SuperSecret123"hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12))print(hashed) # $2b$12$... (always different, that's the salt)# Later, when the user logs in:attempt = b"SuperSecret123"if bcrypt.checkpw(attempt, hashed):print("Welcome back!")else:print("Wrong password.")
Modern systems are moving toward passkeys (WebAuthn), cryptographic keypairs stored on your device. There's no shared secret to leak; the server only ever sees a public key. Apple, Google, and Microsoft all support passkeys today, and they're rapidly displacing passwords for high-value accounts.
Choose the best answer.
Sign in and purchase access to unlock this lesson.