Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Python Build a Social Network with Flask Making Strong Users Cryptographic Hashing with Flask-Bcrypt

How does the check_password_hash function compares hashes?

I'm just curious to know how the check_password_hash function compares the passwords? As told in the lecture that hashes cannot be "decrypted". Moreover, hashing of the same word two times generates different output every time. So how does check_password_hash function does it?

3 Answers

Chris Freeman
MOD
Chris Freeman
Treehouse Moderator 68,457 Points

Hashing works because it's a one-way cypher, that is, it can encode but not decode a value. One way to validate passwords is to store the encrypted hash of the password (something that no one can decode). Then when a user attempts to login, the password submitted is hashed in the same manner and the results are compared to the stored hash. If the hashed values are the same then the original passwords must have been the same.

There are additional techniques used in the hashing process to prevent someone from trying to repeatedly hash various passwords trying to find a match. This includes adding a "salt" or starting unique value to an system.

Each time you run Python interactively it will generate a new salt value so hashes with the same Python session will match, but the same value hashed in different Python sessions will have a different resulting value.

Sameera Sy
Sameera Sy
2,349 Points

Hey Chris Freeman, Then when a user attempts to login, the password submitted is hashed in the same manner and the results are compared to the stored hash. If the hashed values are the same then the original passwords must have been the same.

Isn't the whole motive of Hashing not to get the same hashcode of a string twice? What I mean is for example, If hash("hello") = "abcd" (say). Then according to your above statement, the second time I hash the string hello, I get abcd again, which wasn't the case in the video.

We did learn from the video that salt is used with the our string (hello) to get the hash. My question is how does check_password_hash ends up comparing the entered password with the string argument? Just curious.

Chris Freeman
Chris Freeman
Treehouse Moderator 68,457 Points

Sameera Sy, Great question! The salt is stored within the encrypted password portion of the hash value. This StackOverflow answer says the first 22 characters of the password hash contain the unique salt. The remaining is the encrypted password characters. During password comparison, the existing salt is extracted and used to encrypt the submitted password for comparison.

Hope this answers your question!

Ahmad Faris
Ahmad Faris
1,656 Points

So, does Bcrypt somehow store the salts for various sessions, so that when a user login during a different session, the hashed passwords can be matched? Chris Freeman

Chris Freeman
Chris Freeman
Treehouse Moderator 68,457 Points

When the password is encrypted using bcrypt.generate_password_hash(), the result has three fields of the format $[algo]$[salt]$[hexdigest] which is then saved into the database. The salt is automatically extracted and used to check incoming password challenges. So Each user effectively has their own salt value.

Ahmad Faris
Ahmad Faris
1,656 Points

Thanks for your explanation Chris Freeman , appreciate it!

I'm assuming the "salts" are saved into the database in a very secure manner, right?

Chris Freeman
Chris Freeman
Treehouse Moderator 68,457 Points

Even if the passwords and salt were uncovered, it is still extremely hard to guess the password.