{"id":2506,"library":"flask-bcrypt","title":"Flask-Bcrypt","description":"Flask-Bcrypt is a Flask extension that provides bcrypt hashing utilities for your application. It uses the bcrypt password-hashing function, which is intentionally slow and resistant to brute-force attacks, making it suitable for securing sensitive data like passwords. The current version is 1.0.1, and it maintains an active development status with periodic updates.","status":"active","version":"1.0.1","language":"en","source_language":"en","source_url":"https://github.com/maxcountryman/flask-bcrypt","tags":["flask","security","hashing","password","encryption"],"install":[{"cmd":"pip install flask-bcrypt","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core web framework integration.","package":"Flask","optional":false},{"reason":"The underlying cryptographic hashing library.","package":"bcrypt","optional":false},{"reason":"Python development headers required by the 'bcrypt' C library on some Linux distributions.","package":"python-dev / python-devel","optional":true}],"imports":[{"note":"The `flask.ext` prefix for extensions is an outdated pattern from older Flask versions. Modern Flask extensions are imported directly from their package name.","wrong":"from flask.ext.bcrypt import Bcrypt","symbol":"Bcrypt","correct":"from flask_bcrypt import Bcrypt"}],"quickstart":{"code":"from flask import Flask\nfrom flask_bcrypt import Bcrypt\n\napp = Flask(__name__)\n# Configure secret key for session management, if applicable\napp.config['SECRET_KEY'] = 'a_very_secret_key_for_demo'\n\nbcrypt = Bcrypt(app)\n\n# Example usage in a Flask context (e.g., a route or application setup)\npassword_plaintext = \"mysecretpassword123\"\n\n# Generate a password hash (output is bytes, must decode for storage/comparison as string in Py3)\npw_hash = bcrypt.generate_password_hash(password_plaintext).decode('utf-8')\n\nprint(f\"Plaintext Password: {password_plaintext}\")\nprint(f\"Hashed Password: {pw_hash}\")\n\n# Check a password against the hash\nis_correct = bcrypt.check_password_hash(pw_hash, password_plaintext)\nprint(f\"Password check against correct password: {is_correct}\") # Should be True\n\nis_wrong = bcrypt.check_password_hash(pw_hash, \"wrongpassword\")\nprint(f\"Password check against wrong password: {is_wrong}\") # Should be False\n\nif __name__ == '__main__':\n    # In a real app, you would store pw_hash in a database\n    # and then retrieve it for check_password_hash\n    # For demonstration, we just print the results.\n    print(\"Quickstart demonstrated hashing and checking.\")\n","lang":"python","description":"This quickstart demonstrates how to initialize Flask-Bcrypt with your Flask application and use its primary methods, `generate_password_hash` and `check_password_hash`, to secure user passwords. Note the `.decode('utf-8')` call for Python 3 compatibility when storing the hash as a string."},"warnings":[{"fix":"Decide on a strategy for long passwords (e.g., pre-hashing them with SHA256 before passing to bcrypt) before deployment and stick to it. Do not change this setting on a live project with existing user passwords.","message":"Enabling or disabling the `BCRYPT_HANDLE_LONG_PASSWORDS` configuration option on an existing project will break password checking for all users. This option changes how passwords longer than 72 bytes are handled.","severity":"breaking","affected_versions":"All versions"},{"fix":"Always append `.decode('utf-8')` to the output of `generate_password_hash()` if you intend to store or compare the hash as a standard string. Ensure your database column can store the full length of the decoded hash.","message":"`generate_password_hash()` returns a byte string. In Python 3, this often needs to be explicitly decoded (e.g., using `.decode('utf-8')`) before storing in a database column that expects a Unicode string, or when passing it to `check_password_hash` if the stored hash is a string.","severity":"gotcha","affected_versions":"Python 3.x"},{"fix":"Ensure your database column for password hashes is long enough (e.g., `VARCHAR(255)` or `TEXT`) to accommodate the full bcrypt hash string.","message":"Storing the hashed password in a database column with insufficient length (e.g., `VARCHAR(50)`) will truncate the hash, causing `check_password_hash` to consistently return `False` even for correct passwords.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure `pip install flask-bcrypt` completes without errors. On Linux, you might need to install `python-dev` (Debian/Ubuntu) or `python-devel` (RedHat/CentOS) packages first.","message":"A `ModuleNotFoundError: No module named 'bcrypt'` error can occur if the underlying `bcrypt` library is not installed correctly or if Python development headers are missing on non-Windows systems during its installation.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Explicitly convert both the stored hashed password and the incoming plaintext password to byte strings (e.g., `bytes(stored_hash, 'utf-8')` and `password.encode('utf-8')`) before passing them to `check_password_hash` to ensure type consistency.","message":"When using `flask-bcrypt` with databases like PostgreSQL, you might encounter encoding-related `TypeError` issues if hashed passwords or plaintext passwords are not consistently handled as byte strings during comparison.","severity":"gotcha","affected_versions":"All versions, especially with PostgreSQL"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}