What does it do?
bcrypt scrambles a password into a hash, a scrambled string that can’t practically be reversed back into the original, and it’s deliberately designed to be slow to compute. That slowness is the entire point: it’s like a lock that takes a full second to pick even with the right tools, trivial for one login attempt but a massive obstacle for an attacker trying millions of stolen password guesses. bcrypt also automatically mixes in a random salt for every password, so two users with identical passwords end up with completely different stored hashes. This Python library provides the interface to run that algorithm and check a login attempt against a previously stored hash.
See it in action
This scrambles a password into an unreadable form using a deliberately slow method, then checks whether a later attempt at that same password matches it.
import bcrypt
password = b"mypassword"
hashed = bcrypt.hashpw(password, bcrypt.gensalt())
print(bcrypt.checkpw(password, hashed))
Why would a non-developer care?
This is a big reason a data breach at a company using it responsibly doesn’t automatically mean every user’s actual password is exposed and immediately usable elsewhere. It’s a quiet piece of engineering standing between a hacked database and your reused password on ten other sites.
Real-world examples
The bcrypt algorithm dates back to 1999, designed by Niels Provos and David Mazieres specifically to stay slow even as computers got faster over time, a choice that has kept it relevant for over two decades. It remains one of the most widely recommended password-hashing choices across web development, in Python and far beyond it.
Who uses it
Developers implementing user login systems who need a well-tested, purpose-built password hashing algorithm rather than building one from scratch.
How it compares to alternatives
It’s often compared with Argon2, a newer algorithm that won a password-hashing competition in 2015 and is considered by many cryptographers an even stronger choice, though bcrypt’s long track record keeps it a common default. Passlib wraps bcrypt as just one of many algorithms it supports.
Fun fact
bcrypt’s name comes from “Blowfish crypt,” since the algorithm is built around the Blowfish block cipher, itself designed by the well-known cryptographer Bruce Schneier.