in Development

How to Encrypt Passwords in PHP/Node.JS/Python

Regardless of what language you use, Bcrypt provides a secure way to store encrypted passwords for just about any online system today.

Bcrypt was first presented in 1999 and uses Blowfish as the cipher.  You can also specify an iteration count to make it slower, but even more resistant to brute-force and dictionary attacks.

While Scrypt is newer, and slower, which in theory will make dictionary attacks much slower, Bcrypt is much older and has stood up to much more public scrutiny than Scrypt over the years.

Lastly, there is Argon2 which won the password hashing challenge (PHC) in 2015.  The idea being as technology advanced in the realms of ASIC and GPU computation, older methods showed potential signs of weakness.

Argon2 aims to address this by making the memory and computational requirements even more expensive than Scrypt and of course Bcrypt.

Despite these newer hashing algorithms, I have focused on Bcrypt purely because of its age and reputation as a strong, well-scrutinized password hashing algorithm for encrypting your database passwords.

Below we will look at how to encrypt and hash passwords in three common development languages, as well as how to validate a user-input password against a password hash stored in your database.

In all the examples we will use a cost factor of 10.  Unfortunately, the ideal cost factor will differ depending on your servers processing power so providing a single value isn’t possible.

Feel free to play around while timing the functions to determine what works best for you.

How to Encrypt Passwords in PHP

As of PHP 5.5.0, there are built-in password hashing functions which specifically use the secure Bcrypt hashing function.  Gone are the days of when you had to manually manage the hashing and salting of passwords.

<?php

$password = 'hacktheplanet';

// Generate a password hash, this is what you will save to your database
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 10]);

// Verify a user-input password, this is what you will validate when signing in
if (password_verify($password, $hash)) {
  print('Correct password!');
}

How to Encrypt Passwords in Node.JS

Hashing passwords in Node.JS is a breeze thanks to the Bcrypt NPM module.  Just install the module using npm.

[[email protected] ~/bcrypt-password-hash]$ npm install bcrypt --save

Once the Bcrypt module is installed you can hash passwords with just a few lines of code.

const bcrypt = require('bcrypt');

const cost = 10;
const password = 'hacktheplanet';

bcrypt.hash(password, cost, (err, hash) => {
  // Store the hash in your database
  console.log(`Generated hash: ${hash}`);

  // Compare the user-input password with the database hash
  bcrypt.compare(password, hash, (err, matches) => {
    if (matches === true) {
      console.log('Correct password!');
    } else {
      console.log('Incorrect password!');
    }
  });
});

There are also synchronous versions available if you don’t wish to use asynchronous callbacks.

const bcrypt = require('bcrypt');

const password = 'hacktheplanet';

const hash = bcrypt.hashSync(password, 10);
// Store the hash in your database
console.log(`Generated hash: ${hash}`);

// Compare the user-input password with the database hash
if (bcrypt.compareSync(password, hash)) {
  console.log('Correct password!');
} else {
  console.log('Incorrect password!');
}

How to Encrypt Passwords in Python

And last but not least, we have Bcrypt usage in Python.  As with Node.JS, we have to first install a module to use in Python.

[[email protected] ~/bcrypt-password-hash]$ pip install bcrypt

But once available, it’s again very easy to hash passwords in Python, as with the other languages.

import bcrypt

password = "hacktheplanet"

# Generate a hash to store in your database
hash = bcrypt.hashpw(password, bcrypt.gensalt(10))

# Check a stored hash against a user-input password
if bcrypt.checkpw(password, hash):
  print("Correct password!")
else:
  print("Incorrect password!")