Security & Authentication

passlib

A password-hashing Swiss Army knife built for the days when nobody could agree on one right way to do it.

Install it: pip install passlib

What does it do?

Passlib takes a password a user types in and transforms it into a scrambled, one-way version that’s stored instead of the actual password, then checks a future login attempt against that scrambled version without ever needing to store the real password anywhere. It supports more than thirty different hashing schemes, functioning like a locksmith who can work with whichever type of lock a building already has installed, rather than forcing every door to use the same mechanism. This flexibility made it especially useful for handling old systems, letting a company upgrade a password’s protection the next time a user logs in without disrupting anyone. It also includes tools to help pick sensible, secure default settings for beginners.

See it in action

This scrambles a password into a secure, unreadable form suitable for storage, then checks whether a later password attempt matches the original.

from passlib.context import CryptContext

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

hashed = pwd_context.hash("mypassword")
print(pwd_context.verify("mypassword", hashed))

Why would a non-developer care?

This is the layer of software that means a company storing your password securely never actually has your real password sitting in their database, only an irreversible scrambled version. That distinction is exactly why a data breach at a well-run company doesn’t have to mean your actual password gets exposed.

Real-world examples

Passlib became a go-to choice for Python web applications during the 2010s that needed to support many different hashing schemes at once, particularly when migrating legacy user databases to a stronger hashing method. The project has been in more of a maintenance mode recently, with some newer projects favoring narrowly focused libraries like bcrypt or argon2-cffi directly.

Who uses it

Backend developers handling user authentication systems, especially those maintaining older applications with mixed or legacy password-hashing schemes.

How it compares to alternatives

Unlike bcrypt, which implements exactly one hashing algorithm very well, Passlib is a broader framework supporting dozens of schemes at once, trading some simplicity for flexibility; many newer projects choose a single focused library instead.

New to Python and want to actually try libraries like this yourself?

Find a beginner-friendly course

Related libraries